Simple Machines Community Forum

Dear valued community members,


On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the hacker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords...

... And remember: don't use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

-edit for clarification-
Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.


Any questions, please do feel free to ask.
Please stay on topic.


Kind regards,
Board of Directors
Simple Machines

You are serious about this? How can this happen? Not using the SAME password is basic, I don't even know my own password  I use a key for that.

Ouch that means we are going to get spammed now too. So the whole database and pms?

I am thinking a full site wide password reset is then in order.

Just updated mine.

Wondering which Admin goofed.

Quote from: vbgamer45 on July 23, 2013, 12:50:27 PM
Ouch that means we are going to get spammed now too. So the whole database and pms?

That is most likely out of order, thankfully.
From what we understand and hear from other website that have been hacked in similar fashion (eg: the Ubuntu forum, vBulletin powered), all they are after are the passwords so they can hack more websites and see how much they can get in to in the end.

As such, spamming should be unlikely. That's at least one bright point about it, I guess...

OMG !!

oh my God  :-[

Not to say much we 're truly sorry about what happened :(

Surely they could only get encrypted passwords though, right??

That can be decrypted.

Oh :(

I have always used low security passwords for forums. Time to step it up again  :o

There are various ways to build a better password that is unique to every site you visit.

This might be a good read for some people.

How to Build Better Passwords Without Losing Your Mind (http://www.pcworld.com/article/227023/how_to_build_a_better_password.html)

I use a slightly advanced method of this. You might give it a try. Takes a bit to wrap your head around it.

Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

SMF never let me down security wise. Its as safe as you want it to be, things like this are due to server breach rather then the forum.

This is not good, the admin in question should have known better IMO. On such a big site like this, its insane to use the same password as other sites, at least if you have any kind of admin rights here.

Oh well, done is done.

Thank you for letting us know, I've changed mine just in case, though the password here were different from my personal sites.

Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!

Changed mine.
I rather suggest changing passwords once a month at the longest, due to hackers.

Quote from: Looking on July 23, 2013, 01:12:47 PM
Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!

Depends on how much they got to..the db is quite big. Last i was on the team it was around 2-3 gb and its sure to be bigger now. Quite a task just to get a backup done as I recall. So hopefully they only got the members table and PM's perhaps. The messages table would take the longest I would imagine.

SMF is secure just this one admin did a mistake, one that many of us have done at some point, and didnt think that they would be hit, all admins have updated there passwords and ive been working on a post for admins regarding passwords in future to help prevent this in future.  I do wish to say some Thank You's though, firstly the user that reported it, security ill keep this name quiet, I also wish to thank Antes for doing correct thing, informing myself and asking the user to file a security report.  Also Liroy for giving up his first proper sleep in days to take action on server side.  I know our server team are going through all the logs to find everything they can so we can about the breach!  We of course will provide more information as we learn it.

I just want to say thank you to all of you who are working on this for your swift action and dedication to sealing the breach and limiting the damage.  Unfortunately mistakes happen.  It's the slime who prey on such mistakes that are to blame.

Thanks for the report.. Good to know your ahead of it..

I also changed my password..

Ron..

Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

Quote from: The Burglar! on July 23, 2013, 01:35:04 PM
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)

I dont read that email much as its an old account wich i dont see much....
i like to change the email someday to my own one... as Antes did mentioned it... i logged into the email account then yes i got the announcement...

Haven't see any notifications yet but probably has a lot of email to send out for the community

good to know.

I have changed my pass, but we lost another: our address. They now have a huge of email addresses to sell to spamers.

By the way, pay attention on your Secret Question/Answer <== it has lost and this way may be hacked some other accounts.

How can they guess a password? That can only be done if it was too simple in the first place.
I would fire that admin ;D

Quote from: Bas on July 23, 2013, 01:57:37 PM
How can they guess a password? That can only be done if it was too simple in the first place.
I would fire that admin ;D

Quote from: CoreISP on July 23, 2013, 01:08:59 PM
Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Password changed everywhere :)

Quote from: CoreISP on July 23, 2013, 01:35:49 PM
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I didn't get any email about this incident.

Quote from: ChalkCat on July 23, 2013, 01:29:07 PM
I just want to say thank you to all of you who are working on this for your swift action and dedication to sealing the breach and limiting the damage.  Unfortunately mistakes happen.  It's the slime who prey on such mistakes that are to blame.

I agree.

My main concern other than users sharing usernames and passwords via PM is that the helpdesk may contain usernames and passwords - Was the helpdesk database compromised? I realise the announcement has gone out - but if the helpdesk has been compromised do we need to take further steps and reiterate to people who have used the helpdesk?

Thanks for the fast action on this.

Quote from: Tony Reid on July 23, 2013, 02:07:51 PM
My main concern other than users sharing usernames and passwords via PM

This!

Oh - and we need to force users to change their passwords on this site asap.

Its standard practice with breaches like this.

We are still investigating but are assuming the worst, so at this we are running under premis that use it has been we will be working with charter members to change there passwords if they do not know how, I have also spoken to a couple of or hosts on here asking them to remind there users that use smf to update there passwords for there sites.

Yes, we are aware of the potential information which is avaiable in PMs and from the helpdesk records.

We are still attempting for figure out exactly WHAT information was garnered, but we did not want to delay the notification of the main issue while we narrowed down details on potentials.

I believe that we are also working to inform charter members separately.

Luckily, I do not believe that there are any currently open tickets with connection details.

Finally, just a general security note: Any time you share connection details, even with the trustworthy staff here - it is always good to change the password(s) after your issue is resolved.

Tony,
I am not aware of any feature in SMF which forces users to change their password.

Quote from: The Burglar! on July 23, 2013, 01:38:56 PM
I dont read that email much as its an old account wich i dont see much....
i like to change the email someday to my own one... as Antes did mentioned it... i logged into the email account then yes i got the announcement...

Did not get an email, I seen it on my Facebook

OldCrow may take a few hours with the size of member list :P

Quote from: Runic on July 23, 2013, 02:22:38 PM
OldCrow may take a few hours with the size of member list :P

No problem Bryan, I'm not worried about this, I know you and the others have it under control. What happens, happens..

Thanks for your understanding. I can say with confidence that everything possible to minimize the damage and prevent this from happening again is happening.

Kindred - there was once a method used with a flag on a table that forced users to update when logging in. It was used if their password was stored in MD5, and that updated it to salted SHA1.

I guess the alternative is to do something forced with a password reset - or custom code something.

were all worried my friend, but we are doing what we can and have implemented new security measures for admins to stop it happening again

No email alert here either. Saw on FB

Also reset simplemachinesforum.org too if you can those passes at least for all team members there.

I am a fairly low number on the user list.... but the annoucnement has made it through at leats 1500 users

vbgamer we dont actually have access to  that site, thats hosted and controlled by Compu

You could always force a password reset for everyone's accounts, in a similar way Twitter did when they had their attack (I believe they did this).

Quote from: CoreISP on July 23, 2013, 01:35:49 PM
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I never got any email about it from this place. I just found out about it from another forum! Good grief.

xRunner, There are 320,000 members to email - the email server is going as fast as it can.

Once again...   the system is working its heart out sending thos emails.
I recieved mine, but my user ID is below 1,500.
For those of you with user IDs in the 130,000 range or the 300,000 range, it may take a little while for the system to get your email sent out.

What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.

Quote from: xrunner on July 23, 2013, 02:39:18 PM
I'm starting to get worried about security like never before.

Thats a good thing :)

the simple rules is dont use same password, use a different password for each site :)

Quote
Then a few days ago I got an email from the Ubuntu forum that they were hacked.

Our information says that was the same person behind it. Exactly the same method, too.

Well, nice move SMF *Admin.. Guess its time to move on..   :-[

Quote from: Runic on July 23, 2013, 02:40:39 PM
the simple rules is dont use same password, use a different password for each site :)

This is all well and good in theory, but unfortunately not done in practice by a great many (dare I say majority) of users. Perhaps some will learn to change their way after this breach, but more concerning is data that may be harvested from PM's and support messages (as has been noted). Users should also always use strong passwords and we (experts) have been telling them that for a long time, but without forcing it, it is often not adhered to.

I'm on a 9 week long holiday and if I had not been careful to ensure I had internet access (it is hard to get in a lot of the places I am visiting), I may well have not know about this breach for some time. I thankfully do not use the same password for everything and was able to secure the one account that could have been accessed by a password sent in a pm. Others may not be in a position to do the same.

There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

My number 1 tip is if your smf password was the same as any email account you use, change it first, change it now and change it to something strong! If your email is comprised, you are stuffed.

of course its easier said than done, and I am guilty of not following the theory as well, but doesnt make it any less of good practice ;)

Quote
There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

Yes, that is the most important goal at this point.


Also please let me stress this point again:
It is *not* a security flaw within the SMF software.

A lot of good can come out of this. As a community we can do better.

Even though the breach was due to a dumb password error by an admin, and it wasn't an exploit of the SMF software we could look at enhancing SMF in many other ways.

2FA perhaps, HTTPS at logon, separate fields in helpdesk for username/password - which get truncated every 24 hours. Segregation of admin and installer rights on the forum. Automatic password renewal every 90 days.

Automatic detection of password sharing in the forum(including PM's). I am sure there are many other ideas we could list.

The only thing is that as a community we need to pull together and get security enhancements like this done. It cannot be left just to the developers - they already have too much else on.

We need to pull together and make it happen.

I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?

Quote from: CoreISP on July 23, 2013, 01:35:49 PM

Quote from: The Burglar! on July 23, 2013, 01:35:04 PM
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)

I just checked all 3 of my email addresses and no notification was found.

EDIT: Well,  my user id is in the 300K range so I'll not hold my breath for some time.

:)

And your member 325360 - the email server hasn't got that far yet.

Frizzle, it was identified to us at late on the 22nd, for some of us it was already the 23rd, we wanted to get as much information before we posted, and even now we are still finding new information.

let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Quote
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I expect this comment from page 2 is why we thought the emails had already been sent. I now understand they are still sending.

Hmm other issue I see what if they unsubscribed from announcements then they won't get the announcement or using a different system then the SMF mail system.

Quote from: Kindred on July 23, 2013, 03:17:06 PM
let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Being I was informed of this issue YESTERDAY at approximately 8:30PM (that would be approximately 16+ hours ago) via PM EMAIL [edit-sorry] ... I am at a loss as to why you waited so long.  This is serious business.  I am saddened that it took so long for the official announcement and I am EXTREMELY GRATIFIED that my source informed me in a timely manor. 

16 hours is a long time.

EDIT: I also take issue with the usage of the words "FEW HOURS".  FEW indicates a small number.   16... is not a "FEW".

Sorry... I'm a little angry/disappointed right now.

Hey SimpleSiteDesigns...   assume that the emails were started at the time the first post was made and then work forward :)
even at several/10 thousand emails an hour, this will take a while for those newer members

Frizzle - get off your high horse.
I explained why.
Just because you took someone at their word with no actual details or information does not mean that we would make a worldwide announcement based on the same lack of actual detail.

Quote from: FrizzleFried on July 23, 2013, 03:22:23 PM

Quote from: Kindred on July 23, 2013, 03:17:06 PM
let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Being I was informed of this issue YESTERDAY at approximately 8:30PM (that would be approximately 16+ hours ago) via PM EMAIL [edit-sorry] ... I am at a loss as to why you waited so long.  This is serious business.  I am saddened that it took so long for the official announcement and I am EXTREMELY GRATIFIED that my source informed me in a timely manor. 

16 hours is a long time.

EDIT: I also take issue with the usage of the words "FEW HOURS".  FEW indicates a small number.   16... is not a "FEW".

Sorry... I'm a little angry/disappointed right now.

16 hours is very fast.

Googles own advice is to advise users within 7 days .....
http://googleonlinesecurity.blogspot.co.uk/2013/05/disclosure-timeline-for-vulnerabilities.html

I'd like to emphasise something, if I may...

Change your password on your own site, if a member, here, has been helping you with your site, which involved you giving them log-in details to your site.

If these tossers HAVE got the entire database, they could, possibly, pull that information, from the PM.

I believe that has been mentioned a few times, K@-like-one :P

I know. :P

Quote from: K@ on July 23, 2013, 03:28:25 PM
I'd like to emphasise something, if I may...

Quote from: vbgamer45 on July 23, 2013, 03:22:03 PM
Hmm other issue I see what if they unsubscribed from announcements then they won't get the announcement or using a different system then the SMF mail system.

True, but overriding that is considered to be spam, unfortunately.
We do our best to inform everyone, but those that chose not to be informed all we can do is pray they read here or on facebook or hear through someone else.

The admin panel news feed doesn't appear to update with this news? might be worth pushing it there and also via the twitter account.

This would not be considered spam this is an important announcement  which could lead to them loosing their account or worse not knowing their password is out there. I would mail those users they should know what is going on

Quote from: FrizzleFried on July 23, 2013, 03:08:50 PM
I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?

lol your not a very smart man are you

I dont get topic notifications from here. Also, im user 272, i havent got any announcement.

edit:i saw this at Facebook.

Quote from: danny12345 on July 23, 2013, 03:35:03 PM

Quote from: FrizzleFried on July 23, 2013, 03:08:50 PM
I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?

lol your not a very smart man are you

How do you know I am even a man... troll?

Let's stop the bickering and keep on-topic, please.

Quote from: CoreISP on July 23, 2013, 03:30:58 PM
True, but overriding that is considered to be spam, unfortunately.
We do our best to inform everyone, but those that chose not to be informed all we can do is pray they read here or on facebook or hear through someone else.

I would have thought this goes beyond general announcement. Many EULA's include an exclusion for breach alerts and any user that considers being emailed about this to be spam has their head in the sand.

...You guys knew about this hours before you chose to tell me? I could have changed everything pass word wise long before this, then?

All you had to do was let me know there might have been a security issue and to change my passes. I would've just gone and done it, it would've been that easy.

SimpleSite...

Maybe so... but the point is: we used the internal announcement/mailing system.
To do anything else would have required more delays while we built a mailer to target everyone.

Groovy,

Excuse me? The entire community got informed (as per this announcment) as soon as we had concrete data about what happened, how it happened and what was potentially compromised. Why would we have sent you a special one-off message before we knew enough to make an official notification to everyone?

Since this is theft I assume it's been reported to the authorities?

So there was no period of time when it was known but the knowledge wasn't divulged?

I'm sorry, then, my bad.

Quote from: Groovystar on July 23, 2013, 03:41:13 PM
...You guys knew about this hours before you chose to tell me? I could have changed everything pass word wise long before this, then?

All you had to do was let me know there might have been a security issue and to change my passes. I would've just gone and done it, it would've been that easy.

The problem with notifying immediately is that the exploit may have still been live. We had to find the hole and figure out if it could be reused, or if there was anything left behind. If we notified immediately, changing your password could have been ineffective.

I promise you, this was dealt with as fast as it could be.

I see. Thank you for explaining.

xrunner: we are looking into it

groovy,

Why would we have held off on the announcement?
As I have already said:
We were informed that there had been a breach.
We investigated said report using the logs and investigating files and database details.
We confirmed that the breach was NOT due to a flaw in SMF (which was our biggest concern)
We cleaned up the crap payloads...
We confirmed what was the most likely target data
We composed a message that told the details
We proofread said message (not closely enough, of course, since there are several mistakes that we have ben quietly fixing. :) )
We sent said message.

Frizzle is a just a drama-monger

Quite honestly - a 16 hour turn around for a notification like this is nothing short of stellar activity on the part of our Server Guy!


xrunner - we are investigating our options for reporting this.


edit - ninjad in both responses. :)

Quote from: Kindred on July 23, 2013, 03:43:17 PM
SimpleSite...

Maybe so... but the point is: we used the internal announcement/mailing system.
To do anything else would have required more delays while we built a mailer to target everyone.

Understood. For the record, I'm not questioning the way this is being handled. I always have, and continue to have the upmost respect for the smf team. It's just unfortunately something that can happen.

Even Microsoft got hacked, a while back. They copped a virus, too.

No website is 100% secure, unfortunately.

Thanks for the heads up. why this childish bull is glorified by some folks is beyond me.

Quote from: Kindred on July 23, 2013, 03:17:06 PM
So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Emphasis mine.  If being a "DRAMA MONGER" means pointing out when someone in power is attempting to blow smoke up our skirts,  GUILTY AS CHARGED.  16+ hours is NOT "a few hours" no matter how you look at it.  Had you been FORTHRIGHT from the get-go and posted something to the effect of "Yesterday at X:XX" or even "approximately 16 hours ago",  this DRAMA-MONGER wouldn't have to point out these things.

Friz, please... What's done is done.

If you disagree with what was done, fine. But, carping about it isn't going to change things.

The powers that be took what they considered to be the correct actions at the correct times.

You, obviously, disagree. Others don't.

No point in carping-on about it, here, now, is there?

Things may not have been mentioned, for obvious reasons. Things that may well have caused, or been instrumental in, that delay.

Let it go, willya? Please?

It was going on for 16+ hours?

I could've at least changed my own site's information, though I think we already changed everything recently enough.

I have no site right now. My site went down over an hour and a half ago.

This is an global anouncement, as we are in many different timezones .

diggin' the log files is a pretty time consuming job !!

I'm terrified that my site was destroyed and won't ever be coming back. It went down about an hour and a half after the announcement was made.

Same here, both my sites are down. The Graywebhost front site is down too. No replies from CoreISP or notification as to what is going on.

I suspect Core's VERY busy, at the moment.

I'm on your site, as I type, Groovy.

Liroy's good. But, even he can't be in two places at the same time. ;)

Sure he can, he's a hosting god.

It looks just fine from over here, too.

Quote from: Groovystar on July 23, 2013, 04:43:07 PM
Sure he can, he's a hosting god.

Don't tell him that! He'll go all godlike, on us, again... ;)

Reason I brought it up on here is I'm convinced that the network is under attack due to what happened.

I doubt the two are related, to be honest.

I COULD be wrong. But, I seriously doubt it. :)

Just bad timing, I suspect.

Bah, great.

Change inc.

Quote from: K@ on July 23, 2013, 04:46:10 PM

Quote from: Groovystar on July 23, 2013, 04:43:07 PM
Sure he can, he's a hosting god.

Don't tell him that! He'll go all godlike, on us, again... ;)

Well I guess I gotta start goin to church!!!!. Both my temples are running now, just gotta get the minions back online to post again.

Thanks   ;)

unless you used the same username and password on your site that you use here, there is unlikely to be anything related.

if you did use the same information on both sites *shakes finger while tsking*

However, the incident is unlikely to be related.
After all, his goal here (and on other other site like ubuntu) was not to take the sites down - it was to gather the user information without anyone knowing that he did it

Quote from: Zirkon on July 23, 2013, 04:52:49 PMWell I guess I gotta start goin to church!!!!. Both my temples are running now, just gotta get the minions back online to post again.

Thanks   ;)

Quote from: Groovystar on July 23, 2013, 04:46:56 PM
Reason I brought it up on here is I'm convinced that the network is under attack due to what happened.

No, probably not. Both the website (with SMF forum) I run on CoreISP's shared hosting and my dedicated server are both working fine. Depending on what you are seeing, it is possible that it is a network issue between you and the destination or something else. Also, warriorcatsrpg)dot(com loads for me as well.

I had forgotten about my membership here and had reused this password.  Thank you for the notice.  I'm currently insuring nothing that matters uses the same password.

My site is back up, but someone has been tooling with it. all of the anti-spam verifications were gone.

Shame on you, SMF team! Maybe is not a software issue, but still IT'S YOUR FAULT.

YOU have picked that guy to play admin on SMF forums, not me. YOU should have choose more wisely and select a person capable of understanding basics as not sharing the same password on multiple sites, especially when they serve on official communities.

What a hell, I know admins loves to behave like gods, now why he didn't came over and face the SMF community? Why he is hiding now? The big admin is a chicken now?

That's kind of harsh.

I've been a victim of sabotage by rogue team members myself on my own site in the past. Sometimes you just can't anticipate these things in advance. It's already over, now we just have to do our best on damage control and use better judgement from here on.

exxocet,

please. don't be obnoxious.
Don't tell me that *YOU* have NEVER reused a password? (If you say so, then I say you are a liar)

Exxocet,

That is not appropriate nor warranted. Publicly posting the administrators name will do no good. It won't resolve the situation or lead to a productive discussion. Everyone makes mistakes and now everything humanly possible is now being done to mitigate the damage. Corrective measures are being put in place to prevent this from happening again.

exxocet,  please calm down.  Accidents happen all the time, also to you. Some just bring more trouble than others.

Sorry Groovystar, I don't mean to be rude or offensive, but the SMF team should understand this is a serious thing. It's not a virtual world admin/mod playing roles, this is the real ****** because it can go mad IN REAL LAWS.
Simple Machines should get prepared because they are exposed right now. And not on a server and a database, they are exposed to juridical issues.

Quote from: exxocet on July 23, 2013, 05:16:34 PM
Sorry Groovystar, I don't mean to be rude or offensive, but the SMF team should understand this is a serious thing. It's not a virtual world admin/mod playing roles, this is the real ****** because it can go mad IN REAL LAWS.
Simple Machines should get prepared because they are exposed right now. And not on a server and a database, they are exposed to juridical issues.

Why do you think we released a news announcement within a very short timeframe to make everyone aware? :)
We know very well how serious it is and what complications there can potentially be.

Exxocet,

Do you mean the unauthorized 3rd party that socially engineered a password to gain access to our systems is in legal trouble? You surely don't mean we are in legal trouble.

  I did reused passwords, it's true, but never on official or important sites. This is business, is not like goofing around on your tuna fishing site, SMF have a company behind and things could go wrong for them right now. 

  By the way, why the hell is necessarily as ALL admins have access to the database? They play mysql with our accounts every day? Databases should be exposed only to one, maximul two server admins.

Colin,
I'm just saying I'm a lawyer and I'd love to be a prosecutor on a case like this...

Quote
  By the way, why the hell is necessarily as ALL admins have access to the database? They play mysql with our accounts every day? Databases should be exposed only to one, maximul two server admins.

You know how SMF works, right? :)
The software itself has access to the database, as such a admin account has at least some access to the database.
With some tools, that's a lot of information you can obtain simply by reading out the database.

Quote
I'm just saying I'm a lawyer and I'd love to be a prosecutor on a case like this...

I'm not really too interested in a legal argument, but what exactly is it you would want to prosecute the victim of a hack for?
Hacking is illegal, being hacked is something entirely different.

That's like saying you want to prosecute the owner of a liquor shop that got robbed.

Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Regarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

Quote from: exxocet on July 23, 2013, 05:24:13 PM
By the way, why the hell is necessarily as ALL admins have access to the database? They play mysql with our accounts every day? Databases should be exposed only to one, maximul two server admins.

Once you have admin access to SMF, you can upload custom code via a package and basically do whatever you want.

QuoteDepends on how much they got to..the db is quite big. Last i was on the team it was around 2-3 gb and its sure to be bigger now.

You haven't seen big until you see a 300 GB database. Those are fun to deal with. :P
(not a forum database, but a database at work is close to that size)

I understand, thanks Daniel.

Quote
SM lost our goods (identities) and there is no way to get them back, as now those are public.

And that happened due to theft. (Note that "identity" (nickname + email) is not a tangible good in this scenario and you didn't lose it, you still have it. The problem is someone has *a copy* of that information. Which is of course a entirely different situation.)
Also, by signing the registration agreement you agree never to hold SM liable for anything.

Look, I understand this is highly annoying. We, obviously, don't like it that our site was compromised either and I understand your frustration... Trust me, I share it. It's as much a pain to the staff as it is to users.
But I feel it's a bit of a long shot to actually say we are responsible for the fact that the hacker decided to hack in to our system and steal all the information as if we told him/her to do it. :)
We did our very best to limit the impact of the theft and let everyone know as soon as possible, I'm not sure what else you want from us. :)

Anyway, if you really want to discuss that; perhaps it's better to either move to PM or if you feel that you want to publicly talk about it: the chit chat section. (Do note: I do not promise any response.) It is after all offtopic here as this topic serves the purpose of informing users on what happened and what to do now to protect themselves. :)

For what it's worth, we do sincerely apologize for any inconvenience you may have due to this data theft.

Thanks! :)

I got the email subject was odd though "Simple Machines Community Forum: Onderwerp"

CoreISP is right. What is done, is done.
There is no way to blame SMF, or anyone else, except of course, the hackers.
I really believe that as long as people change their passwords, all will be fine.
That is a reason why I seriously recommend changing passwords often.
Not only on website, but also for personal things, like emails, chats, web hosts/servers, etc.

I do not understand why now should argue about these things. The hacker has alredy done his mess, now it is time to just do the best that is possible that this don't hapens again. And of course the admin whose data they have stolen is anonymous now, it is better that way because more problems could actually happen that would not help at this time.

Quote from: vbgamer45 on July 23, 2013, 06:09:17 PM
I got the email subject was odd though "Simple Machines Community Forum: Onderwerp"

That's a bug. Liroy's sent it, causing it to send his language over.

Quote from: [yub] Lazo on July 23, 2013, 06:14:20 PM
I do not understand why now should argue about these things. The hacker has alredy done his mess, now it is time to just do the best that is possible that this don't hapens again. And of course the admin whose data they have stolen is anonymous now, it is better that way because more problems could actually happen that would not help at this time.

Truer words have seldom been spoken :)

Quote from: Runic on July 23, 2013, 06:39:23 PM
Truer words have seldom been spoken :)

I know this was not a issue caused by the SMF system, but I think this situation will help in some ways to do the SMF system even more secure. I still think that this is just a good point to see how good the community can stand together in hard days. :)

Really incredible!

Check your profile here, my preferred language was Albanian ;-)

Didn't notice any other changes.

thats nothing to do with the hack attempt jrstark, that shows when you didnt set a language has done for years :P

this happened to ubuntu forums the other day. 1.8 million accounts compromised. that site is still down.

anyone here use lastpass? I hear its the best thing to do, use a password manager which creates long and different passwords for every site. any thoughts password managers like lastpass?

yeh it was the same hackers, and luckily we have a team that dont sleep lol

People who wanna bash.....go back to listening to your Haties music.   ;D

We can see this as a horrific incident, roll in misery, and gain nothing from it.  We could also run over to one the "other" sites that haven't been hacked YET.  OR, we can see this as a learning opportunity.  The SMF team has already posted information to increase the security on our sites.  That's a big positive in itself.  I get the suspicion more good info will be posted when the time comes.  Good things come to those who wait.   8)

All of my passwords associated with SMF sites have been changed. Thanks to the SMF staff for informing us in a timely manner.  ;)

Ouch, this sucks. Glad you guys caught the issue quickly. Changing passwords even if I do use different ones. :)

best idea :) better safe than sorry :)

Quote from: exxocet on July 23, 2013, 05:36:41 PM
Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Please stop with the hysteria.

Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

You really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.

FWIW - I still have NOT gotten an email RE: this issue... but I HAVE gotten an email when "K" PMed me.  How sure how that works...or why...  but I figured I should mention the fact.

Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

I apologize for using this, I never saw it before, but this is incorrect, I am one of the Admins on here, however I do not have access to the database, I have never had access, so please be careful with spreading inaccurate information.

Quote from: FrizzleFried on July 23, 2013, 11:18:28 PM
FWIW - I still have NOT gotten an email RE: this issue... but I HAVE gotten an email when "K" PMed me.  How sure how that works...or why...  but I figured I should mention the fact.

So you know I haven't received the email yet either. :)

Have the hackers been traced and identified?

as far as we can tell its the same ones that have done other large sites, such as  ubuntu, drupal etc over the last few months, however that is as far as we have gotten  at this time :(

The hackers hid there tracks well.

Do we have to be subscribed to SMF emails for us to get the email?

Quote from: Mstcool on July 24, 2013, 12:48:07 AM
Do we have to be subscribed to SMF emails for us to get the email?

Yes

:police: idea:

it is necessary to remove an option of a backup of a database from the administrator of a panel

That's not an option, as it has nothing to do with this :P

"Receive forum newsletters, announcements and important notifications by email."

Ticked, but no message yet.

Quote from: Inter on July 24, 2013, 01:48:43 AM
:police: idea:

it is necessary to remove an option of a backup of a database from the administrator of a panel

Strange enough it's the first thing that came to my mind when I heard of the incident. In my opinion providing an option to perform a full database backup/download solely bu trusting that the administrative login is not compromised is plain wrong. There is a reason why database security should be delegated as much as possible to the DB server itself so using phpMyAdmin or any other tool provided by hosting providers should be the only direct way to access forum database.

Quote from: MrMike on July 23, 2013, 11:15:09 PM

Quote from: exxocet on July 23, 2013, 05:36:41 PM
Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Please stop with the hysteria.

Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

You really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.

  Sorry Micky, your GT5 cheats, Modern war, signature is telling your 15 years old kid story. Unfortunately this is a serious discussion, talking about serious facts. Allow yourself to grow up. See ya in 2015! Eat your corn flakes!
 
  Now, talking about servers, Runic was crystal clear: not all admins have access to the database. The server don't have to publicly display the databse connection password. Neither allowing to modify it or back-up (settings.php cand be CHMOD 644 to disable modify etc). It just happened that the victim admin had access to the database and everything went crazy, bad timing.

Fortunately I don't use the same passwords for differing systems, have changed not only my password but also Email address too. I hate spammers as much as hackers.

Quote from: exxocet on July 23, 2013, 05:36:41 PMYou really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.

Indeed it is!


Keep up the good work, Zap.  ;D

The mail I received was dated 5 hours past this topic was started.

Sucks that it happened, but I applaud the effort that was shown so far.

To the admin in question: We are all human. I know what you are going through, you will survive! :)

We all know, it's a dangerous world and * does happen, being careful or not.
Email received and pw changed.

I hope you slapped ears to this "admin", which can not on its own safety care?

I have no idea who it was. But, I think it's safe to assume that he probably did that, to himself.

What did they get exactly?

username and pwd, or did they get the associated email addresses as well?

Quote from: Inter on July 24, 2013, 01:48:43 AM
it is necessary to remove an option of a backup of a database from the administrator of a panel

Funnily enough, when we do that I don't think many people will shed a tear.
On some servers it gives tons of issues. Not because it's bugged, but simply due to configuration.
We have been recommending for a while not to use it anyway.

On a sidenote though, you can disbable that functionality by limiting the abilities of the SQL user connection to the db.
But with admin action it's just more slowing people down than actually blocking it completely, with a nicely made PHP script it's still possible to obtain information from the database.

Quote
Now, talking about servers, Runic was crystal clear: not all admins have access to the database. The server don't have to publicly display the databse connection password. Neither allowing to modify it or back-up (settings.php cand be CHMOD 644 to disable modify etc). It just happened that the victim admin had access to the database and everything went crazy, bad timing.

Not publicly no, but with admin access you can escalate access to the files through a variety of methods.
From that point on, you can obtain the password to connect to the database...

So whether the admin had direct access to the database or not is completely irrelevant. The forum has to know the password to connect to the database. Get access to the Settings.php file: get access to the database.
It's as simple as that. You make it sound as if you can completely secure yourself against any kind of attack when a administrator account has been compromised; that's not a fact...

Quote
or did they get the associated email addresses as well?

Yes, associated email addresses were obtained as well. It's in the user table.

Quote from: CoreISP on July 24, 2013, 07:21:40 AM

Yes, associated email addresses were obtained as well. It's in the user table.

Bummer. Can you please delete my account. I don't use your SMF software.

 OMG..

Did the attacker have more access on the simplemachines site or was it limited to just the forum database?
Could he make changes to any packages at download.simplemachines.org?
Are the mods, themes and other downloads still safe?

Quote from: Johanvd on July 24, 2013, 09:31:02 AM
Did the attacker have more access on the simplemachines site or was it limited to just the forum database?
Could he make changes to any packages at download.simplemachines.org?
Are the mods, themes and other downloads still safe?

Only the database should be gathered, downloads shouldn't be damaged. If you are worried, do scan the files with your antivirus, if you have one.

Downloads are isolated and just fine :)

my password is changed

johanvd those are stored elsewhere, the logs show that downloads and customise were not effected.

Admins -

Thank you for the notification and for what you are doing behind the scenes. Someone made a mistake, it happens.  Heaven knows I have made more than my share  ;)

Take a break, have a cold one and grab a few moments to relax.

Quote from: CoreISP on July 23, 2013, 01:35:49 PM

Quote from: The Burglar! on July 23, 2013, 01:35:04 PM
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)

I never received a email about this. Just happen to see the post on my own this morning.

Quote from: IchBin™ on July 23, 2013, 11:09:56 PM
Ouch, this sucks. Glad you guys caught the issue quickly. Changing passwords even if I do use different ones. :)

I did the same, great minds think a like. ;)

Quote from: CoreISP on July 24, 2013, 10:23:20 AM
Downloads are isolated and just fine :)

Quote from: Runic on July 24, 2013, 10:30:03 AM
johanvd those are stored elsewhere, the logs show that downloads and customise were not effected.

Thanks!

Also thanks for your hard work to solve this.

Same topic, similar e-mail is received from Ubuntu.

http://ubuntuforums.org/announce.html

My password here is different than my others.

Makes you wonder how beneficial the db dump in the admin panel is. If you think about it, if it wasn't there then none of this would of happened... Makes me think about disabling mine since I back up my db differently.

But then again they could just upload a mod and get a dump, convenience looks to be a security issue. :-/

nend... sorry, but you're wrong.
The hacker did not access the database from the admin panel backup option.
(that option would likely choke on the size of our database anyway)

Quote from: Kindred on July 24, 2013, 12:05:16 PM
nend... sorry, but you're wrong.
The hacker did not access the database from the admin panel backup option.
(that option would likely choke on the size of our database anyway)

I guess I can be since I assumed how it happened.

FWIW - I... the "Drama Queen"... see no benefit what so ever of outting the admin who made this mistake.  We are all human and dumping on the guy (or gal) serves no good purpose.

Quote from: exxocet on July 24, 2013, 03:46:37 AM
Sorry Micky, your GT5 cheats, Modern war, signature is telling your 15 years old kid story. Unfortunately this is a serious discussion, talking about serious facts. Allow yourself to grow up. See ya in 2015! Eat your corn flakes!

Just a quick side note to defend a friend of mine, you can own gaming forums without being a kid. Mike is married and has a son in the US Air Force, so that makes him older than 15.

How to I delete my account.  I prefer that option over having this happen again which I find inexcusable. 

Go into your profile and select the option from the profile menu to delete your account.

Though this forum is probably the most secure place to be now  ;)

What steps are being done to avoid this in the future?

Quote from: FrizzleFried on July 24, 2013, 01:05:54 PM
FWIW - I... the "Drama Queen"... see no benefit what so ever of outting the admin who made this mistake.  We are all human and dumping on the guy (or gal) serves no good purpose.

Nicely put. :)

Quote from: SpyDie on July 24, 2013, 02:51:12 PM
What steps are being done to avoid this in the future?

I think the person responsible's sense of guilt will cover that. ;)

spydie we have implemented various new steps the main one is creating a stronger password policy for admins on this site.

 Thanks for the report.

Everything is under control.

Don't worry, be happy. :)

Good job on security amateurs!

Quote from: brianharrell on July 24, 2013, 03:44:38 PM
Good job on security amateurs!

Kids

brianharrell, please dont attack, accuse or call anyone amateurs, this attack has happened to other larger sites who have more to lose than us, with alot more money for better security measures, no website is 100% secure.

Quote from: brianharrell on July 24, 2013, 03:44:38 PM
Good job on security amateurs!

Please show me one site that is 100% secure.

Exactly.

Brian, if you think that your security's 100%, you're deluded.

Yeah, OK. This was a pretty silly mistake. But, can you say, hand on heart, that you've never made a silly mistake?

It is not really a matter of mistakes, it is more a matter of the security level of a page. This wasn't really a security issue in the begin, it was more a mistake that caused all that. A security issue is when your system is made in a way which someone can use for his own advantage.

I think this whole discussion goes in a wrong direction.

Quote from: [yub] Lazo on July 24, 2013, 04:24:08 PM
It is not really a matter of mistakes, it is more a matter of the security level of a page. This wasn't really a security issue in the begin, it was more a mistake that caused all that. A security issue is when your system is made in a way which someone can use for his own advantage.

+1

(a like button would be nice now :D )

Oh, I think that we've confessed, quite rightly, that one of our guys goofed.

If they hadn't used the same password, here, as they do on their own site, the hack MAY not have happened.

My belief is that it would've happened, anyway, eventually.

The problem with anti spyware/virus/security software is that it's always playing catch-up.

Agreed.  The hacker seems pretty determined on his spree, I think he would have found a way in eventually.  Better security breeds better hackers.

Okay, I have put this off too long. Other than Craigs List I have never encountered so many whining babies. If you want your account removed the remove it. So your username and password "may" have been compromised. So what? You are just 1 (one) out of 320,331 members here. The chances of your username and/or password being used to infiltrate your own websites are extremely slim. You would have better luck winning the lottery. I am sure that who ever did this was not here on a mission to hack into your account. And, if you use the same login info on multiple sites then you deserve to be hacked.

As for those that are dumping on the admin who may have caused this, shame on you. Like you have never made a mistake or used bad judgement at some point in your life. Are you in some sort of pain or agony over this? Do you need psychological help due to stress over this situation? Has your website been compromised? Are you losing sleep because of this? I think not.
Dump the high mighty attitude and find something worth while to complain about.

ARG I soo agree :)

and for future here is an official response about the Admin, and I will type it in caps so everyone can see:

WE WILL NOT BE TAKING ACTION ON THE ADMIN AND WE WILL NOT BE SHARING THE IDENTITY OF THE ADMIN!

Damned right, too.

Dunno who it was and I don't want to, either.

Thanks for the head's up. Changed my password here. I used that password only here and the email address I have here is the only place I used it.  Since my webhost allows unlimited email forwarding I make a separate email for each place I register which makes it really easy to tell where a leaked/sold email address came from if I start getting spam on it. :)

Quote from: ARG on July 24, 2013, 04:32:32 PM
Okay, I have put this off too long. Other than Craigs List I have never encountered so many whining babies. If you want your account removed the remove it. So your username and password "may" have been compromised. So what? You are just 1 (one) out of 320,331 members here. The chances of your username and/or password being used to infiltrate your own websites are extremely slim. You would have better luck winning the lottery. I am sure that who ever did this was not here on a mission to hack into your account. And, if you use the same login info on multiple sites then you deserve to be hacked.

As for those that are dumping on the admin who may have caused this, shame on you. Like you have never made a mistake or used bad judgement at some point in your life. Are you in some sort of pain or agony over this? Do you need psychological help due to stress over this situation? Has your website been compromised? Are you losing sleep because of this? I think not.
Dump the high mighty attitude and find something worth while to complain about.

Couldn't have said it better myself.

OMG !!

As an owner/administrator of several sites I run, this really didn't bother me, as much as I have read, I use strong passwords and not the same one for any sites or places I am registered with.  Hacks happen, fact of life on the internet.  One of my sites, gets constantly bombarded with hackers and spammers, and spam registrations very rarely get through, due to how my software is set-up and also the way the server is set-up as well. Only reason that I can think of not being a victim to any Hacks (touch wood) is because a friend who is very savy in security has set up my system to be virtually impregnable, though as has been said, nothing is impregnable.  Even large Corporations, Banks, Governments etc. have been hacked and they spend zillions of $$$'s on security.  Basically Security is only as good as the person who sets it up is.

For heavens sake leave the Admins alone and get on with life, 10 pages of virtual complaining, over a site that is free and supplies the product free is just a lot of Bull S**t as far as I am concerned.  Leave them alone and let them get on with what they do.

To the Admin concerned, Lesson learnt and we all have and will make mistakes in life.  It is the fact we learn from these mistakes that make us better Admins.

And although it says I am a Newbie, I have in fact been a member since 2007, I just don't post here that often.

Haven't been here for a long time (since 2007 by look of my very short post history).  Frankly, I forgot what password this place used.  I'm sure I probably used it elsewhere at the time but I know my password scheme has changed since then. 

Regardless, I changed the password here to something that is completely different from other ones I use.  ...since I forgot about even HAVING this account I may end up forgetting again (or the password at the very least).

Just to emphasize, when I checked my profile after seeing the post about the secret question (mine was blank) I noticed my 'native language' was Albanian too.  Maybe it's just because I hadn't been here for so long and it was a feature added since 2007?

Also, I noticed the 'odd' email subject too (Simple Machines Community Forum: Onderwerp).  For what it's worth, I got my email yesterday at 12 PM CST.

Mistakes happen...even big mistakes like this...and it's known where the fault lies.  There's no use in crucifying whoever it happened to, I'm sure they feel horrible enough as it is.

Quote from: TimL on July 24, 2013, 02:27:39 PM
How to I delete my account.  I prefer that option over having this happen again which I find inexcusable. 

Wow. How many professions have a 100% success rate? Even dedicated surgeons can lose the life of a patient. Since no one is impervious to hacking, you may as well delete all your e-mail accounts, Facebook and any other social sites you may be on, sell your computer and stay safely far away from all the Internet.

Name.com suffered a similar breach not too long ago:

Received May 8th:

QuoteWe are writing to inform you of a security measure we have taken to protect the integrity of the domain names and information associated with your account.

Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com.

Name.com stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.

As a response to these developments, and as a precautionary measure, we are requiring that all customers reset their passwords before logging in. If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well.

Please click the link below to reset your password:
[link redacted]

We take this matter very seriously. We've already implemented additional security measures and will continue to work diligently to protect the safety and security of your personal information.

We sincerely apologize for the inconvenience. If you need any additional assistance or have any questions please email [email protected]. We'll continue to be as open and honest with you as possible as additional important information becomes available, so keep your eye out for a blog post or additional emails.

Thanks,
The Name.com Team

In addition to identifying a few possible reasons that some did not get the email, (see below) I'd like to say... Many "Thanks!" to all who have been hard at work on this issue and those who manage to keep their cool when some members have tantrums. Eventually, they will learn it is much smarter to be part of the solution, rather than part of the problem.

I'm with Tony Reid...

Quote from: Tony Reid on July 23, 2013, 03:08:40 PM
A lot of good can come out of this. As a community we can do better.

Even though the breach was due to a dumb password error by an admin, and it wasn't an exploit of the SMF software we could look at enhancing SMF in many other ways.

2FA perhaps, HTTPS at logon, separate fields in helpdesk for username/password - which get truncated every 24 hours. Segregation of admin and installer rights on the forum. Automatic password renewal every 90 days.

Automatic detection of password sharing in the forum(including PM's). I am sure there are many other ideas we could list.

The only thing is that as a community we need to pull together and get security enhancements like this done. It cannot be left just to the developers - they already have too much else on.

We need to pull together and make it happen.

"Stuff Happens" -- always has and always will. Our challenge is to do all that we can to protect ourselves if we've been lax in our password habits, recognize that we can all contribute to making SMF, our own forums and everything else more secure.

Those who have not received the email announcement might want to consider the following:
:) Check your email address in your SMF profile to see if it is still valid.
:) Check your email client's SPAM filter.
:) Check to make sure there IS a checkmark in the box to receive Important Announcements from SMF. This is available via your Profile > Notifications

Simple Machines Community Forum » Profile of CountryLady » Notifications *
Profile Info > Modify Profile (Caution: there are several pages to this... 1-2-3, etc.)

Profile
SMF allows you to be notified of replies to posts, newly posted topics, and forum announcements. You can change those settings here, or oversee the topics and boards you are currently receiving notifications for.

[  ] Receive forum newsletters, announcements and important notifications by email.

:)  :) ALSO... Check to make sure you have clicked "Notify" at the top of the "News and Updates"  Board. This is DIFFERENT from checking the "Receive Announcements from Forum Administrators" box in your profile > Modify Profile...!
This leads to an email to your address on record that says...
A new topic, 'IMPORTANT: Community security breach', has been made on a board you are watching.

You can see it at
http://www.simplemachines.org/community/index.php?topic=508232.new#new

(LOOK AT THIS NEXT LINE...)
More topics may be posted, but you won't receive more email notifications until you return to the board and read some of them.
(I've been guilty of forgetting this a few times myself.) :-[

To the Admin who used a duplicate password elsewhere...
After learning the lesson involved, don't fret over this. Its not like you did this on purpose. Hacking is happening all over the world to every type and level of organization. We need constant reminders to be alert, both on-line AND in Real Life. We can mitigate, but not eliminate, danger, damage & loss. So, appreciate the support you've been given by the SMF Team and help write up the remedies so it doesn't happen to someone else.
PS- You should always be on the Team that handles problems of this sort. You now have experience in this kind of thing from several perspectives. :) Besides, it helps us heal when we can do something about a problem we caused.

SMF will be better and stronger as a team, as a software, as support team and just regular members for how we handle this, and I think it is being handled in an outstanding manner all the way around.
                                     WAY TO GO TEAM~!

Thanks for your feedback all, it's really appreciated :)
Also thanks for the kind words of understanding that this can, unfortunately, happen. People make mistakes, so be it.

It's also nice to see that people are trying to inform each others of even more tips and tricks to protect themselves.
I guess that, in someway, we should be happy this served as a wake-up call to many people. When it happens "close to home", people tend to take it much more serious. And for that part, I'm grateful that something good comes out of something bad.

Just had to put that out there. :)
Thanks guys n girls for the feedback and helping each other! :)

Quote from: Groovystar on July 24, 2013, 09:46:56 PM
My site is down again. Again, out of nowhere. Since this whole hacking, nothing's been right, and we are drowning in this. It is literally killing us.

If it's the site in your signature, it seems fine to me.  ;)

No harm, no foul so far.  I changed all the important passwords.  Stuff happens.

Groovy....   I said this yesterday as well.... 

Quote from: Kindred on July 23, 2013, 04:54:53 PM
unless you used the same username and password on your site that you use here, there is unlikely to be anything related.

if you did use the same information on both sites *shakes finger while tsking*

However, the incident is unlikely to be related.
After all, his goal here (and on other other site like ubuntu) was not to take the sites down - it was to gather the user information without anyone knowing that he did it

I received a email notification from Simple Machines Community Forum yesterday. Thanks to the SMF admins for passing on the information.

My client uses the SMF forum on two of their sites. Is it just the administrators of these SMF forums who need to reset their passwords, or do all members on their forums need to reset their individual passwords, too?

Really just admins and yourself, but will never go wrong to remind the members to use strong passwords etc

I agree, I don't have the same password here and elsewhere but I reminded my Community members to use stronger password pointing on this case.

If the passwords are MD5 encrypted, you cannot decrypt. 
But you CAN create a password, encrypt it, and see if it matches anything in the database.
So easy passwords can be discovered, not decrypted...

GerryD

Quote from: CoreISP on July 23, 2013, 01:08:59 PM
Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

also, we haven't used MD5 in years - SMF 2.x uses SHA1 salted and hashed - but the data is still "recoverable" if you have the time and the processing power.

SMF2 uses salt, but since it's being upgraded from previous version, only members who have logged in since have salted passwords. And even with it, it won't slow attacker much

Considering year in which we are, using SHA1, MD5 and in general using your own password hashing methods - is wrong. I'd suggest to consider PHP requirements for 2.1 version and bump PHP to 5.3.7, as many projects already require PHP 5.3+. Then, use password_compat (https://github.com/ircmaxell/password_compat) library to have hashing method compatible with PHP 5.5 native methods, which is such that even if security breach of this scale happens, attacker would find hashes useless, as in reality there'd be no way to decrypt them, considering the alghorytm (which is very slow, unlike sha1, md5 etc which are very fast). It takes some work, but this breach proves that all softwares should do the hashing right (and stop inventing their own methods, cryptography is hard to get right)

Actually, smf salt is useless. You're using 4 hexadecimal characters, so there are 65 536 possible salt combinations. It's easy to build lookup table for all of those combinations. Thus my point about inventing your own alghorytms... Some useful reading can be found at https://crackstation.net/hashing-security.htm

We didn't invent it, salting is used to stop rainbow tables so that each forum will present it's own challenge to decryption. SHA-1 has obviously degraded over the years and every now and then we improve the method we use to stay up to date.

Much as I hate to get involved, someone who I owed a favour to asked me to comment.

Firstly, you're incorrect about some of your assertions. The salt you're referring to is not used to compute the password hash. The password in the database is stored as SHA1(strtolower(username) . password) and has been for a very long time in SMF. No extra table is required for this. Oh, and if you notice, it's not actually 'rolling their own'. It's following standard practice (take the password, add something that's account specific and hash that)... and in ANY case the salt would be useless if it were used because it's RIGHT THERE IN THE TABLE. It's only any use if it's otherwise an unknown, but since it's not an unknown element, because it's right there in the table, it doesn't really help any since you already have to construct a rainbow table for every account in the first place.

Secondly, not all hosts are currently using 5.3.7 and up. There are still some very major hosts running 5.2 and in fact some hosts still offering 4.4 hosting for the time being, even though 5.3 itself is officially maintenance only now, and most of SMF's typical demographic applies to those because they're the budget end of the market. So that's not really something SMF can implement in a realistic fashion, but I guess reality of lots of support requests (and there are already multiple requests per day related to one really poor free host and their limitations, but hey, let's add a crap ton more!) is irrelevant.

Thirdly, I don't believe you understand what it means by 'decrypting the password'. It is mathematically impossible to actually decrypt the password hashed by a digest hash like SHA1. What you do is find something that when combined with the username and then hashed will give you the same hash as what you're looking for... that means potentially multiple passwords will actually work because you're not looking to find the original, you're merely looking for a collision. You may want to search for multiple collisions for this very reason.

Fourthly, it is well researched and documented that most people suck at choosing passwords. A 2011 study (whose link I can't immediately find) found that 'password' was still by far the most common password, followed by '123456' and direct variations of that. Breaking into systems can be done with that fairly easily.

Incidentally, pushing everything to bcrypt may not be the smartest idea in the world. If everything is pushed to bcrypt and a *single* vulnerability is found, suddenly a lot more targets are actually located. Having everything in a slightly different form does at least have some benefits with respect to lowering the immediate attack vector options. There is a little comfort - but very certainly not a lot - from security through obscurity, but it is no substitute by any means for real security.

Thing to note: the system is only ever as strong as the people who hold the keys to it. It is often significantly easier to leverage a weakness in a person rather than in the technology under them, as was done here, to leverage the access to perform queries on the database. Once the database is compromised, best security practice is to assume it is *always completely compromised* even if the data is encrypted with the strongest possible methods, because you never know what resources the intruder has to break that.

Consider: this attack was to force an admin's account. If there was no way to run arbitrary code through some fashion with an admin's account or to pull a database backup of some kind, there would be less risk. In fact, if there is no method by which to run arbitrary code or pull a database backup without server access directly, you need to do more than brute force that account, and proceed to brute force a server account. If someone's already gotten into the server itself, assume everything is compromised anyway because by definition it is.

The whole thing about hashes is only an issue if someone gets into the server or otherwise can obtain raw access to the tables and right now there are ways by which an admin can do just that, either by splicing code into template files, or by uploading a package. Stronger controls need to be added to these to prevent arbitrary code being able to be run with just an admin's account, for example enforcing upload via FTP of plugins (as other software does), as well as limiting the ability to run arbitrary code from the admin panel by removing the ability to edit files from said admin panel and enforcing use of either hosting control panel or FTP download/local editing.

I see where you're going but honestly you're picking on one of the stronger links in the chain. There are far, far many more issues to consider... like how on a number of shared hosting setups it is actually possible for your setup to be hijacked as soon as you install a mod. Or how in a number of shared hosting setups it's possible for your entire database to be compromised and with you not being able to do *anything* about it whatsoever. But of course these are minor considerations when compared to worrying about what will happen when a hacker gets in... I'd personally prefer to keep them out in the first place where possible, rather than tightening up what happens when they already have. (Not that you shouldn't ALSO do that, but in terms of priority, it's really a secondary consideration. Don't worry about locking up the family silver if the front door is already unlocked.)

Thanks for the reply Arantor, my apologies if my tone sounded too harsh, it was not the intent.

My first assumption was incorrect indeed, as I read in Kindred's statement about the use of salt. So having seen salt column in db, I connected the pieces without looking into the code. In your case then username plays the role of the salt. Use of salt is not useless, because it prevents using a single lookup table.

I know that not all hosts are completely updated. By the time smf 2.1 comes out, situation will definitely be better. Latest Joomla, Vbulletin, Drupal, IPB 4, phpBB 3.1 (once they come out) etc require 5.3+, and on many budget hosts it's possible to choose php version. In any case, I'd expect situation to improve in the future. But I agreee that not all may have 5.3.7 as the minimum.

Thirdly, that's an unfair asumption, and yes I understand it very well, I guess anyone who ever bothered understanding anything about this topic got it. Though collision for sha1 is unlikely, attacker would usually use precomputed hashes from dictionary passwords, thus be after the original one. You cannot "decrypt" anything which is hashed, since hashing != encryption. But you can try to guess the original password, or depending on the algorhytm find the one with same hash.

Fourth - that's true, but I don't see how it relates to choosing hashing alghorytm. You can't protect irresponsible users, but you can do something for those who don't use "123456" passwords.

I am not a fan of security through obscurity, but in any case I don't see it as an option in open source software. Pushing everything to bcrypt with unknown weakness seems better than using alghorytm with known weaknesses, though I do get your point. If a weakness is discovered, well, you're in the same basket as everyone else, I doubt it's something which won't taken care of fast. But considering how long it's been tested, it seems fairly strong.

And I completely agree that there are many weaknesses out there, where people using/configuring the system are by far the biggest. I focused on this just because there have be so many hashed passwords stolen on various websites, that it's maybe time that everyone updates. At least if someone breached in the DB (and there are so many roads), *most likely* attacker won't be able to do anything with hashes. Even though the notice about the need to update the password would still be due.

I changed my password to "invalid".

Now, if I forget what it was and type in the wrong one, it tells me what my password is...

"Password invalid"

;)

Who is it possible to hack the database????? i think that the security here is missing. And i happy i am using a different script for my sites.  Sorry SMF this is not okay. 

TS4Life,

Did you even actually read the report?
Especially the section which clearly stated that this was NOT a hack due to any vulnerability in the software?

Changing your script will not increase nor decrease your site's security in this case. Especially since several other (major) sites were also compromised using the same method and using OTHER forum (and non-forum) softwares. As We pointed out, this was due to a lax password protocol on the part of one of the admins, who has been chastised... but, as Arantor also points out,  "It is often significantly easier to leverage a weakness in a person rather than in the technology under them, as was done here,"

Brilliant @ K@ !
I've followed suit.

New password, I'm secure.

"invalid". Instant password reminder, reason to resist password change eliminated.  ;)


I'm confused about the use of salt and encryption in your database.  Since my account had been inactive for some time, I take it that my password was probably stored as an MD5 hash? If so, did those old password hashes hash more than the password text itself? -- Newer accounts I read conflicting information -- that what's hashed was the SHA1 of username+password -- and I also read that there was a 4 digit hex (16-bit / 64k-value) salt included in the hash.  It would be nice to get clarity on exactly what different hashes are in use in the database, and how each was computed, so as to estimate what accounts users who have a common username, email, or password elsewhere are at greatest risk of having the accounts correlated with each other / direct hash-collisions. 

When an account is deleted on SMF, is the user record completely purged?  What else is deleted or not deleted? PMs, posts, etc.  Sadly for security, I know many sites have a policy of not deleting accounts, only deactivating  them.

It sounds like the security question/answer did not hash the security answers? (reading between the lines).  That might be a good idea.  With lots of salt.


TS4Life, SMF may be able to make some implementation changes that MIGHT make it harder for a hacker who manages to get ahold of an adminstrator's password to access user data, but note that it will never be guaranteed secure aagainst such attacks.  There will always be SOME way to access the user data, and unfortunatley - as web technology works --  the script itself always has access, making scripts notoriously vulnerable to security holes.  A security hole in the underlying script engine or server software, too, might allow an attacker to execute custom code and therefore gain access.  There have been major security breaches at SSL certificate vendors, credit card companies, and dozens of major corporations with millions of dollar budgets.  Security requires ongoing vigilance and as everyone has been saying for decades -- before the web existed -- use a different password everywhere is, for better and for worse, a necessary precaution to limit the damage when your password somewhere is compromised (and it most likely will be or has been before).  Ideally you use complex passwords for all accounts, but certainly for banks and your email account (someone who can get into your email can usually reset your password on your other accounts).

Thank you for the swift notice and well crafted, clear message SMF folks.

Best wishes for a smooth resolution.

I've already received three Apple password reset emails in the inbox associated with my SMF account. SMH.

Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.   

All too common now a days ... thanks for the heads up.

Quote from: Medalta on July 25, 2013, 10:47:23 AMThis was a failure on the part of the admins here.

Of course it was. Such has been admitted.

Now, tell me that you've never made a mistake and I'll call you a damned liar. ;)

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.   

Goodbye man. 8)

Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Received a notice Tuesday from ubuntuforums.com that they had also been hacked. Believe they were running SMF and are currently still down.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
Since my account had been inactive for some time, I take it that my password was probably stored as an MD5 hash?

Only if you havent logged in since this forum was running a 1.x build. If you got a "password security upgraded" message on your recent login, that is a sign that your account was still using the old 1.x MD5 hashing.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
If so, did those old password hashes hash more than the password text itself?

I'm not sure, I'd need to check the code (I'm not intimately familiar with that part of SMF). However, MD5 is quite weak to collision attacks, so those are more at risk, even salted.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
It would be nice to get clarity on exactly what different hashes are in use in the database, and how each was computed, so as to estimate what accounts users who have a common username, email, or password elsewhere are at greatest risk of having the accounts correlated with each other / direct hash-collisions. 

It doesn't matter so much. SMF currently uses a salted SHA1 hash. This means that plain rainbow tables can't be used, they'd have to be generated for each username, as was pointed out earlier.

Also, it's not so much an issue of if but ratherwhen the values are recovered. For short or easy passwords, it'll be much sooner than more secure ones. However, with dedication and time, collisions can be found for every hash.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
When an account is deleted on SMF, is the user record completely purged?  What else is deleted or not deleted? PMs, posts, etc.  Sadly for security, I know many sites have a policy of not deleting accounts, only deactivating  them.

The account information is removed, along with PMs. Posts by the user are retained, but dissociated with the old user account. They show up as guest posts with a display name set as the old user's login.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here.

Yes, yes it was. You're pointing out the obvious.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system.

Please make sure to let the people running the Apple Developer website, NASDAQ forums, Ubuntu forums, Club Nintendo, Morningstar Document Research, and Ubisoft's account system know the same too.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I guess you are perfect and use 20+ character randomly-generated passwords for everything, right? ****** happens and people f*** up at times. It doesn't mean they are dense or lazy. It means they are human.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

Please make sure to let practically every company that has ever had a security breach know that. Most security breaches come down to human fallibility. I sometimes do security reviews for medium to large companies (the kind that exist to make a profit and sell products) and the amount of WTF moments I've had is considerable. Honestly, I've done some stupid stuff as well on my personal server and the servers at my company. Once I find out how stupid it is, I fix it. Sadly, someone did something rather boneheaded on this forum and caused a lot of work. Luckily, it's being corrected.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
I am done with SMF (S****d M****r F*****'s)

Lowering yourself to crass attacks? Really? I think this forum software can survive without your attitude. Remember your positions next time someone points out a stupid mistake you made and please do make sure to appropriately discipline yourself in the way you seem to wish here.

Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Yes. It was tracked down to an unauthorized login in an administrative account. The holder of the account admitted to using the same password on other sites, at least one of which was compromised prior, iirc.

Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Received a notice Tuesday from ubuntuforums.com that they had also been hacked. Believe they were running SMF and are currently still down.

They were running vBulletin.

Quote from: 青山 素子 on July 25, 2013, 11:31:41 AM

Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Yes. It was tracked down to an unauthorized login in an administrative account. The holder of the account admitted to using the same password on other sites, at least one of which was compromised prior, iirc.

Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Received a notice Tuesday from ubuntuforums.com that they had also been hacked. Believe they were running SMF and are currently still down.

They were running vBulletin.

Thank you for clarifying this.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.

Again-

QuoteOther than Craigs List I have never encountered so many whining babies.

Later tater. Don't let the door hit you on the way out.

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.

And some thought I was a drama queen drama-monger? [corrected ... thanks Kindred!] ;)

:)

NOTE: your account is still active BTW.

just for the record, I never called you a drama-queen (someone who rules drama and by drama), just a drama-monger (someone who sells or trades in drama) :P

But yeah.... you don't even hold a candle to some of these repsonses..... :)

Who's up for some pizza  and brew?

Anyone else getting random password reset emails? Thankfully the password I used here isn't one that I use anywhere else, and I've checked my email login history to verify that my email account hasn't been breached. It still gives me the creeps to know that someone is actively attempting to take over our accounts.

Any idea where the unauthorized accessor is located? US, Russia, Turkey, etc.?

Random password reset emails fomr simplemachines.org?

It is unlikely that any continuing attack is going on here at simplemachines.org. The hacker only wanted one thing - the memberlist form the database. To do that, he needed an admin account.
So, normal members (while you should change your password, as a standard security protocol response) really should have nothing to worry about here on SMF itself. The main concern was if you may have used the same credentials on other sites.

Quote from: Kindred on July 25, 2013, 12:40:49 PM
Random password reset emails from simplemachines.org?

No, from Apple at the email associated with my SMF account. Three so far.

What happened, happened, it was an error on passwords.. Why can't people accept the error and carry on..

How many times have your personal passwords been just not quite right, whether not long enough or not a variety of figures..It happens to all of us at one time or another...

We have 12 pages of the same thing, why complain, take this as a lesson from this error and make your passwords better..

Move on....let  the folks get back to doing what they best, by making smf better for us!

Ron..

The change of password does not seem to show up on this forum for me. Can someone point me in the right direction?

Quote from: dafydd on July 25, 2013, 01:27:32 PM
The change of password does not seem to show up on this forum for me. Can someone point me in the right direction?

http://www.simplemachines.org/community/index.php?action=profile;area=account

Quote from: Safeway on July 25, 2013, 01:10:29 PM

Quote from: Kindred on July 25, 2013, 12:40:49 PM
Random password reset emails from simplemachines.org?

No, from Apple at the email associated with my SMF account. Three so far.

Once again, this particular hacker seems to be targeting places where he can progressively get more data on other ADMIN roles. He does not seem interested in defacement (actually defacement defeats his purpose - to go unnoticed as long as possible, so people don't change their passwords).
So, unless you are an admin in the Apple account, it is unlikely to be related.

Three attempts at a reset is not so many...   it is more likely that someone with a similar appleID forgot theirs and accidentally tried to login using yours.

Changed my password.. I think I have an account on Ubuntu forums, but they took their forums down because of this recent event.

Quote from: BigBen on July 25, 2013, 02:54:34 PM
Changed my password.. I think I have an account on Ubuntu forums, but they took their forums down because of this recent event.

They did, and Canonical is now going to manage it themselves instead of a third party doing it.
Not sure what their plans are, but they were shocked as well it got hacked.

A quick "Me too" I have seen six attempts to re-set my apple ID since the passwords were hacked. Fortunately it is a different password from SMF.

Nick-T

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.

Jesus people, what can you say ... besides goodbye. As one of my old English teachers used to say about 35 years ago "Don't let the doe knob hit you in the back."

I din't even know I was a member of this forum!

"How many times have your personal passwords been just not quite right, whether not long enough or not a variety of figures..It happens to all of us at one time or another..."

Actually, never. This is a security breach not an inability to set passwords correctly. I just hope they really were encrypted properly as that narrows down the risks.

"why complain, take this as a lesson from this error and make your passwords better.."

Why complain? Because SMF f**ked up. I could have a 63-character random string password, or a common word, but that's immaterial to the breach itself.

"Now, tell me that you've never made a mistake and I'll call you a damned liar."

Why should I? Of course people make mistakes but this was negligent. This isn't spilling a bit of milk on the kitchen floor.

I'm glad you're all so comfortable continuing to use a system coded by people this lax. You really think there isn't vulnerability in SMF now?

Oh, and what's a "doe knob"?

Quote from: londonblue on July 25, 2013, 04:06:50 PM
I din't even know I was a member of this forum!

"How many times have your personal passwords been just not quite right, whether not long enough or not a variety of figures..It happens to all of us at one time or another..."

Actually, never. This is a security breach not an inability to set passwords correctly. I just hope they really were encrypted properly as that narrows down the risks.

"why complain, take this as a lesson from this error and make your passwords better.."

Why complain? Because SMF f**ked up. I could have a 63-character random string password, or a common word, but that's immaterial to the breach itself.

"Now, tell me that you've never made a mistake and I'll call you a damned liar."

Why should I? Of course people make mistakes but this was negligent. This isn't spilling a bit of milk on the kitchen floor.

I'm glad you're all so comfortable continuing to use a system coded by people this lax. You really think there isn't vulnerability in SMF now?

Oh, and what's a "doe knob"?

Have you bothered reading the first post?

This is ***NOT*** a vulnerability in SMF. Don't ask why, it's described in the first post.

(if putting up an attitude is the only way to get it through, so be it...)

Are you talking about my SMF Forum password, or something else associated with my SMF board?

Quote from: BillF on July 25, 2013, 04:16:33 PM
Are you talking about my SMF Forum password, or something else associated with my SMF board?

Please read the first post.

Quote from: londonblue on July 25, 2013, 04:06:50 PM
You really think there isn't vulnerability in SMF now?

Who has ever said that? If you had read some pages in this topic to know what was going on. And, it was said(already 30 times) earlier, this was not a security breach in the SMF system. It was an accident.

Quote from: BillF on July 25, 2013, 04:16:33 PM
Are you talking about my SMF Forum password, or something else associated with my SMF board?

Yes, your SMF Forum password and private messages you've sent/received in the past.

Quote from: [yub] Lazo on July 25, 2013, 04:18:20 PM
Yes, your SMF Forum password and private messages you've sent/received in the past.

Note that the password is encrypted and would take a long while to figure out depending on its strength, and only passwords from here and other forums attacked were taken (so not your forum). Also only PMs sent and received on this forum are compromised.

I'll have to try encrypting my databases with Zero Encrypter - since I'm the only one who knows how it works, the spammers / hackers would need to either interrogate me or examine my modified SMF sources.

Quote from: [yub] Lazo on July 25, 2013, 04:18:20 PM

Quote from: BillF on July 25, 2013, 04:16:33 PM
Are you talking about my SMF Forum password, or something else associated with my SMF board?

Yes, your SMF Forum password and private messages you've sent/received in the past.

No.
The password you use *here* on simplemachines.org is vulnerable.
The one of your own forum is safe.

Unless...  you used the password to your account here for the admin account on your own forum as well. Then you have a potential problem indeed, so change your password here and change your password on your own forum. Then you'll be safe. :)

I just realized that I have read the post wrong, my fold. :-X

So have they got my user name, password and e-mail address?


BTW I never got the warning e-mail. 

Quote from: londonblue on July 25, 2013, 04:06:50 PM
I din't even know I was a member of this forum!

"How many times have your personal passwords been just not quite right, whether not long enough or not a variety of figures..It happens to all of us at one time or another..."

Actually, never. This is a security breach not an inability to set passwords correctly. I just hope they really were encrypted properly as that narrows down the risks.

"why complain, take this as a lesson from this error and make your passwords better.."

Why complain? Because SMF f**ked up. I could have a 63-character random string password, or a common word, but that's immaterial to the breach itself.

"Now, tell me that you've never made a mistake and I'll call you a damned liar."

Why should I? Of course people make mistakes but this was negligent. This isn't spilling a bit of milk on the kitchen floor.

I'm glad you're all so comfortable continuing to use a system coded by people this lax. You really think there isn't vulnerability in SMF now?

Oh, and what's a "doe knob"?

Okay God, since you're so intelligent tell us the proper way of doing things.  Apparently you know more than the rest of us.

Oh wait! You cant be that intelligent because remember,  you din't even know that  you was a member of this forum :o

Reminds me of a good choon...

http://www.youtube.com/watch?v=pLu07aXTEKY

For all those that want to complain about "lax security" and such, it has made the news that Stanford University's network was hacked. (http://techcrunch.com/2013/07/25/stanford-university-hacked/) The university is urging everyone with an account on their network to do a password reset.

Current speculation is that the hacker behind the intrusion also hacked Harvard and MIT back in May and possibly Rutgers, NASA, Mazda, Suzuki, Isuzu, Bose's Chinese branch, and Mopar even earlier.

So, please stop before criticizing the people here as if this is some special Simple Machines-only issue. It's Internet-wide.

The big takeaway from the announcement here is that the compromise was the result of password reuse, not a flaw in the software. As such, it's further reinforcement that you shouldn't be reusing passwords, at least between important and non-important sites.

Quote from: TimL on July 24, 2013, 02:27:39 PM
Wow. How many professions have a 100% success rate?

I HOPE the UNDERTAKER is 100%..... sure dont want to be buried alive.

the warning email has only just arrived here so i guess the mailer is still working overtime to get through the amount of members

I wonder if this hack is related to any of the other website hacks that's happened these past few days (Apple Dev site, Yii Framework site)

these hacks have been done in a similar way and have taken the same info aka memberlists.  With the available info and how hacks have been done we believe it is same people.

Going thru my emails I just discovered that I received my notice on this issue on Tuesday at 1:01pm. Just 16 minutes after this topic was created.  ;)

Quote from: The Hobo on July 25, 2013, 06:56:29 PM
I HOPE the UNDERTAKER is 100%..... sure dont want to be buried alive.

Even that isn't 100%. There are verified reports from the 18th and 19th centuries of people being buried alive. Heck, there was even the whole category of safety coffin (http://en.wikipedia.org/wiki/Safety_coffin) to help signal if someone was actually alive. Luckily, modern medical science has nearly eliminated that risk in developed countries.

Quote from: georaldc on July 25, 2013, 07:59:34 PM
I wonder if this hack is related to any of the other website hacks that's happened these past few days (Apple Dev site, Yii Framework site)

It is likely related.

Thanks for the notification guys, password on here and my own forum changed.

Quote from: 青山 素子 on July 25, 2013, 11:31:41 AM
Please make sure to let the people running the Apple Developer website, NASDAQ forums, Ubuntu forums, Club Nintendo, Morningstar Document Research, and Ubisoft's account system know the same too.

And that is just the tip of the iceberg!  Although I am sure you didn't continue to list to not sound repetitive  :P

the list must be quite extensive

Tackling the issue head on is the only way. I would like to have my chances over not to make the mistakes I have made.
On my own forum for some weeks I have noticed several failed attempts to log on as an administrator so someone is trying all the time even at my little site

Thank you for letting me know
Thank you for making me think
Thank you for reminding me that complacency is the enemy - many a battle was lost because someone fell asleep

If the big guys can be hacked then we can only do the very best we can.
We install strong locks fully aware of the fact that the burglar will just bring a bigger lever

As for the dummy spit- Remember that all people can please you, some when they arrive and some when they leave :D

Keep up the good work moderators- I for one appreciate your work and help when I need it.

Oh Man, Hacker has attack globally. I use different password for all my accounts. :)

Got the email today.. thanks for the  heads up. 

Account password changed.

Thanks for the fast alert.

Regards,

~Eric

Some perspective, including Visa & Nasdaq

http://www.marketwatch.com/story/nasdaq-others-hacked-in-multimillion-dollar-fraud-2013-07-25

You outta be sued for negligence.

Account password changed.

Thanks for the fast alert.

Regards.

Quote from: gobbler on July 26, 2013, 05:09:41 AM
You outta be sued for negligence.

Away you go, then. See you in court. :)

Hey guys,

Just to put this in some sort of perspective for the few drama queens in this thread, the following is a "real" serious security breach  ::)

http://www.sportingshootermag.com.au/news/firearms-data-compromised-says-nsw-police-sergeant (http://www.sportingshootermag.com.au/news/firearms-data-compromised-says-nsw-police-sergeant)

Thank you for the quick action  received the email about an hour ago, checked and changed the few places that use the same password.  Done and done.

Really not sure why people are going off at the admin here,  mistake was made - sure, we all make them - it happens, what people should judge is how the mistake is 'cleaned up' - for that, SMF has done well, very well.

My username here is unique, as in I do not use it anywhere... and upon checking the password was used for 4 other sites I frequent, all changed.

Thanks for the info. Passwords changed.

Quote from: gobbler on July 26, 2013, 05:09:41 AM
You outta be sued for negligence.

You should be sued for ignorance. Not to mention the malicious abuse of the English language.

Does anyone else find it amusing that he can spell negligence, but can't use the correct word for "ought to"?

And ARG, abuse of my eyes with that huge font... zomg...

I don't normally harp on someone due to their grammar and/or spelling but let's face it......this guy is an idiot.  ;D

Quote from: Kindred on July 26, 2013, 09:31:20 AM
And ARG, abuse of my eyes with that huge font... zomg...

Illori asked me if I could try 82pt in my post, at least you won't miss it :P

That's mean more spam? Great. So, not mine or someone else password security level is important but actually administration staff human factor is the main role. They should be trained and if unsuccessful in training - fired!

Quote from: neirons on July 26, 2013, 10:54:18 AM
That's mean more spam? Great. So, not mine or someone else password security level is important but actually administration staff human factor is the main role. They should be trained and if unsuccessful in training - fired!

Yeap I agree, can you please tell this to vBulletin developers too ? :)

Thanks for the notification. I found it in my Yahoo-Spam-filter.

And thanks that you did not reset the PW by default, so I know for sure which of my PWs is tainted.

Cheers

blablubbb

I find it very telling that the majority of the complaining is coming from users with less than 10 post count...

Aside from my complaint... which,  to be fair,  had nothing to do with complaining about the fact that the site got hacked... nor had anything to do with outting,  firing,  punishing,  smacking,  beating down,  or any other way molesting the admin who made the error...

BTW:  Now that I've had some time to reflect on my criticism... I still maintain the same opinion,  though I apologize for the way I presented it.  I... in no way... want to be associated with the "geniuses" who've piled on about the hack,  the admin involved,  and the SMF community.

I am sorry.  I would also like to apologize to Kindred specifically for singling out...

Signed,

Drama-Monger :)

no worries Frizzle.. Good title...   We could make that a perm title, with a special badge. LOL! :P

Quote from: neirons on July 26, 2013, 10:54:18 AM
That's mean more spam? Great. So, not mine or someone else password security level is important but actually administration staff human factor is the main role. They should be trained and if unsuccessful in training - fired!

I found this opinion to be a trend only by those that have very few posts and/or are NOT ACTIVE here at SMF. If you don't know the facts nor have any respect, compassion or common sense then there is really no reason to profess your ignorance here. Become active and then maybe your opinions would have some merit.

This community is based on FREE software and is supported by volunteers. There is no paid training nor paid staff so in a real sense, nobody can actually be fired.

Be glad that you have access to such a great FREE software. Like everyone else, deal with issues that arise and for God sakes STOP YOUR DAMN WHINING!

Quote from: MarkRH on July 24, 2013, 04:53:33 PM
Thanks for the head's up. Changed my password here. I used that password only here and the email address I have here is the only place I used it.  Since my webhost allows unlimited email forwarding I make a separate email for each place I register which makes it really easy to tell where a leaked/sold email address came from if I start getting spam on it. :)

I too do the same thing, easy to find the source of leak and easy to change the forwarded email. Then if a spammer uses it they will incur a Bounce and that will bring the attention (hopefully of a controller or admin).

As for dumping on the Admin, yes maybe it was an error on the admin's part maybe not, but it's done lets learn and get over it.

I used the same password on a few websites/forums, not for other important things like e-mail, admin tasks, bank etc. Those were all unique.
For quit some time I told myself to make all of my passwords unique, but I kept putting it off.
What happened here was a great reminder and drive to finally do it.

Quote from: ARG on July 26, 2013, 11:06:13 AM
Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

Quote from: DragoN_SAMP on July 26, 2013, 11:40:39 AM

Quote from: ARG on July 26, 2013, 11:06:13 AM
Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

I am not saying that. Where exactly did I say that? It's just funny that non-active members come here to complain only when an issue arises. They act as if they know the facts by reading the first post of a topic and don't bother to read through the entire thread. If they did then they would more than likely have a different opinion. Pure laziness shows ignorance.
My point is, if you don't know the facts then stop acting like a little schoolgirl that just had her hair pulled on the playground.

Quote from: Kindred on July 26, 2013, 11:04:32 AM
no worries Frizzle.. Good title...   We could make that a perm title, with a special badge. LOL! :P

Done!

:D

Quote from: DragoN_SAMP on July 26, 2013, 11:40:39 AM

Quote from: ARG on July 26, 2013, 11:06:13 AM
Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

For one, use full words. "ppl" is not a word, write "people". It's not so damn hard to hit those few extra keys.

Second, everyone in the community is as important as the rest.

QuoteSecond, everyone in the community is as important as the rest.

Yes, I agree but, this topic should be split. One section for those concerned with the issue at hand and one for the perfect, God like whining babies to discuss the public hanging of the Admin who may have used poor judgement.

Quote from: ARG on July 26, 2013, 11:56:36 AM

QuoteSecond, everyone in the community is as important as the rest.

Yes, I agree but, this topic should be split. One section for those concerned with the issue at hand and one for the perfect, God like whining babies to discuss the public hanging of the Admin who may have used poor judgement.

As much as I agree I can't see it happening, we'll just have to deal with it.

Sarcasm.  ;D

Quote from: ARG on July 26, 2013, 11:47:00 AM

Quote from: DragoN_SAMP on July 26, 2013, 11:40:39 AM

Quote from: ARG on July 26, 2013, 11:06:13 AM
Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

I am not saying that. Where exactly did I say that? It's just funny that non-active members come here to complain only when an issue arises. They act as if they know the facts by reading the first post of a topic and don't bother to read through the entire thread. If they did then they would more than likely have a different opinion. Pure laziness shows ignorance.
My point is, if you don't know the facts then stop acting like a little schoolgirl that just had her hair pulled on the playground.

Maybe thats because they dont have any real bounds with ppl here (friends or wtv) and they see this like it really is: an SMF (admin) fault that compromised many ppl data. And the password isnt really the only thing affected since they (or he) could got, for instance, the "secret question" and with it get access to many other websites (since those questions usually are the same or similar).

You have friends here and feel the need to step up for them, its all good and go ahead with it, but dont forget that any member  registered before 20th of July (even if he has 0 posts) have the right to speak since they got affect by this.

Has you may have already noticed, EN isnt my native language so im sorry for any mistakes that i may have done and i hope you understand it. Cumpz.

Quote from: Yoshi on July 26, 2013, 11:52:53 AM
For one, use full words. "ppl" is not a word, write "people". It's not so damn hard to hit those few extra keys.

Why should i write like you want? Is that stated in the TOS? Maybe you should worry with other *more important* stuff instead, like helping SMF to protect themselfs.

Quote from: DragoN_SAMP on July 26, 2013, 12:19:48 PM

Quote from: Yoshi on July 26, 2013, 11:52:53 AM
For one, use full words. "ppl" is not a word, write "people". It's not so damn hard to hit those few extra keys.

Why should i write like you want? Is that stated in the TOS? Maybe you should worry with other *more important* stuff instead, like helping SMF to protect themselfs.

It's not what I want, it is what everyone understands. Not everyone understands chatspeak.
Besides, even though I am a staff member, I can't do anything except hope for the best, which is about what everyone can do. It's done, whining about it isn't going to help, neither is deleting your account or anything in that area.

QuoteMaybe thats because they dont have any real bounds with ppl here (friends or wtv) and they see this like it really is: an SMF (admin) fault that compromised many ppl data. And the password isnt really the only thing affected since they (or he) could got, for instance, the "secret question" and with it get access to many other websites (since those questions usually are the same or similar).

You have friends here and feel the need to step up for them, its all good and go ahead with it, but dont forget that any member  registered before 20th of July (even if he has 0 posts) have the right to speak since they got affect by this.

Nobody's personal "data" was compromised, only passwords. If one would actually read through this thread before expressing their opinion then they would know that. I never said that you don't have the right to speak. It's very simple (uncomplicated) to just change your password, stop pointing fingers and move on. I cant be that hard to do.

well, you should write in standard English, not textspeak because that is the correct language for communication here.

additionally, for people like you who do not use English as a primary language, stupid txtspeak abbreviations don't get translated well.

Also... we basically assume that anyone who continues to use textspeak after being "warned" is just too lazy to bother writing correct language and thus, we are justified in being lazy ourselves and ignoring said user's requests.


As for the complainers.....
They were notified.
We (SMF) accepts the blame that this happened and we've worked to make sure that it doesn't happen again.
However, the whiners and maoners don't seem to understand or accept that
a) this was not a vulnerability in the software
b) this same issue happened to dozens of "professional" sites. So while we admit that the admin who re-used a password was wrong, attempting to make it seem like SMF did something earthshatteringly incompetent is rather excessive...
c) Really, if they were not also using the same password between here and other sites, this hack will have very little effect on anyone outside of this forum (and we're fairly certain that the hacker is not interested in coming back here to log into any user's account.) The only exception to that is if the users here have exchanged personal connection information like passwords, etc in PM. (and, as noted, most of the loud mouth whiners have a low to zero post count, so it's unlikely that they did that - which means that they are, for most intents and purposes, unaffected, the the breach.

*removed for my own sake*

well, that right there is a no-no, for this very reason.

Take this as a wake-up call to use better security protocols for your own sake. :)

:-\　but if i use all different passwords then i'm not gonna be able to remember it
my boss uses excel sheet to store all passwords of her account, but i feel it's very unsecured

Quote from: Yoshi on July 26, 2013, 12:25:49 PM
It's not what I want, it is what everyone understands. Not everyone understands chatspeak.
Besides, even though I am a staff member, I can't do anything except hope for the best, which is about what everyone can do. It's done, whining about it isn't going to help, neither is deleting your account or anything in that area.

I wasnt whining about what happened and i know that now we cant do anything more than change our passwords here and there. Its a pain in the ass but theres nothing we can do more atm..

And I couldnt care less about what admin did fail or whats going to happen with him.. Ive just talked about the way ARG spoke about the non active members, thats all.

Quote from: ARG on July 26, 2013, 12:28:19 PM
Nobody's personal "data" was compromised, only passwords. If one would actually read through this thread before expressing their opinion then they would know that. I never said that you don't have the right to speak. It's very simple (uncomplicated) to just change your password, stop pointing fingers and move on. I cant be that hard to do.

Im not whining about the breach.. I only didnt like the way you speak about the "not so active" members.

About the "only passwords" if you read CoreISP opening post you will find:

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

You can say "go read all 15 pages before this one" but if CoreISP stated that in the 1st post and havent changed it till now its cus that still remains has the guideline.

Quote from: Kindred on July 26, 2013, 12:34:26 PM
well, you should write in standard English, not textspeak because that is the correct language for communication here.

additionally, for people like you who do not use English as a primary language, stupid txtspeak abbreviations don't get translated well.

Also... we basically assume that anyone who continues to use textspeak after being "warned" is just too lazy to bother writing correct language and thus, we are justified in being lazy ourselves and ignoring said user's requests.

So many things to worry about and you worry about a non english guy grammar.. Nice work mate. And afair (can you read this..?) i didnt  request anything.

Cumpz.

Quote from: Eudemon on July 26, 2013, 12:43:03 PM
:-\　but if i use all different passwords then i'm not gonna be able to remember it

Then compromise and use a high/low password set. For stuff that doesn't need very much security and won't harm you if it's hacked, use a shared password among them all. For more important things like e-mail accounts, online banking, etc use a different password or a unique password for each of those systems.

Quote from: Eudemon on July 26, 2013, 12:43:03 PM
my boss uses excel sheet to store all passwords of her account, but i feel it's very unsecured

Keepass (http://keepass.info/). It stores all your passwords, and you protect it with a keyphrase. It works very well and there are applications that are compatible with it on nearly every platform (KeepassX for OS X and Linux, KeePassDroid for Android, etc.).

Also popular is Lastpass (https://lastpass.com/).

Quote from: DragoN_SAMP on July 26, 2013, 12:49:59 PM
So many things to worry about and you worry about a non english guy grammar.. Nice work mate. And afair (can you read this..?) i didnt  request anything.

I'm a native English speaker (California, USA) with a BA in Literature and even I am not sure what "afair" is. The only thing I can think is maybe affair, but that makes no sense in context...

Please keep in mind that online, the only thing people have to go by when you communicate is the quality of your writing. Using slang, abbreviations, uncommon initialisms, or other kinds of non-formal writing will make you seem a bit less educated, or at least a little lazy. It's not a very good position to put yourself in if you want to be persuasive. Also, people unfamiliar with the terms will be confused and will either not participate or misunderstand what you are trying to communicate.

So I have changed my password here. Do I need to change my password on all smf sites I have registered on, even if I do not have the same password there as I do here?

Quote from: Tuesday on July 26, 2013, 01:00:16 PM
So I have changed my password here, do I need to change my password on all smf sites I have registered on even if I do not have the same password here as I do there?

you don't have to change if you use different passwords on other sites

Quote from: Tuesday on July 26, 2013, 01:00:16 PM
So I have changed my password here, do I need to change my password on all smf sites I have registered on even if I do not have the same password here as I do there?

No. Only if you shared this password with any other accounts do you need to change your password on those places.

Please note that the concern is not so much other SMF sites, but some people register with the same e-mail address and password on places like PayPal, their bank, or their e-mail provider. Sharing passwords like that is a bad idea because if a compromise happens on any one site, the attackers potentially have access to sensitive accounts.

Quote from: 青山 素子 on July 26, 2013, 12:54:13 PM
Keepass (http://keepass.info/). It stores all your passwords, and you protect it with a keyphrase. It works very well and there are applications that are compatible with it on nearly every platform (KeepassX for OS X and Linux, KeePassDroid for Android, etc.).

Also popular is Lastpass (https://lastpass.com/).

thanks, where do they store data? local machine or in their database

Quote from: 青山 素子 on July 26, 2013, 12:54:13 PM
I'm a native English speaker (California, USA) with a BA in Literature and even I am not sure what "afair" is. The only thing I can think is maybe affair, but that makes no sense in context...

Please keep in mind that online, the only thing people have to go by when you communicate is the quality of your writing. Using slang, abbreviations, uncommon initialisms, or other kinds of non-formal writing will make you seem a bit less educated, or at least a little lazy. It's not a very good position to put yourself in if you want to be persuasive. Also, people unfamiliar with the terms will be confused and will either not participate or misunderstand what you are trying to communicate.

afair= as far as i remember/recall

As for the rest there isnt much more to say. If i break any TOS rule just warn me.

Quote from: 青山 素子 on July 26, 2013, 01:03:21 PM
No. Only if you shared this password with any other accounts do you need to change your password on those places.

Please note that the concern is not so much other SMF sites, but some people register with the same e-mail address and password on places like PayPal, their bank, or their e-mail provider. Sharing passwords like that is a bad idea because if a compromise happens on any one site, the attackers potentially have access to sensitive accounts.

Can you guys tell for sure that only passwords and emails got stolen? Not any other data?

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Local machine :)

Quote from: CoreISP on July 26, 2013, 01:09:16 PM

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Local machine :)

yeah, just browsed around and figured, that means have to carry the files if not using same PC
and in the future when they update the way for encrypting files, i then have to update every single files here and there, which is bit trouble

Hopefully non of the poor noobs use the same password as their machine, because I assume the hacker will have ip's of posts as well?

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Keepass is entirely offline. If you want to access from multiple locations, you'll need to configure a way to sync the master password file. I use an Android phone and just use Dropbox + Dropsync to mirror my KeePass database across my machines and my phone.

Lastpass stores the password file on the LastPass servers, I believe. This allows it to work on multiple devices without any effort on the user's end. There are ways to use LastPass as an "offline only" system.

Both systems encrypt the password file using the passphrase you create. I believe both use AES128 as the encryption type, so it's pretty strong at the present moment.

Quote
yeah, just browsed around and figured, that means have to carry the files if not using same PC
and in the future when they update the way for encrypting files, i then have to update every single files here and there, which is bit trouble

There is a mobile version for Android. :) Not sure if there's one for iOS.

Quote from: Peregrinus on July 26, 2013, 01:11:01 PM
Hopefully non of the poor noobs use the same password as their machine, because I assume the hacker will have ip's of posts as well?

That's a bit harder.
Most people these days get a modem/router combo that is a firewall by itself. If not, they do have a firewall on their machine.
Next to that the hacker must know the username to use on the local machine.

The risk on that possibly happening is extremely low.

Quote from: 青山 素子 on July 26, 2013, 01:15:13 PM

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Keepass is entirely offline. If you want to access from multiple locations, you'll need to configure a way to sync the master password file. I use an Android phone and just use Dropbox + Dropsync to mirror my KeePass database across my machines and my phone.

ok, thanks for tip, will dig around later

Dragon: As the guy who sort of started the whole "low post users" fork of discussion... if you read back... and keep things in context... I clearly said "single digit" posters.

You're a "two digit" poster.  Your righteous indignation is unfounded.

PS: Textspeak only makes people look ignorant when used on a forum/board... that said,  there have been plenty of other things you've said that does the same... so carry on... it makes no different at this point.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.

That's a bit of a late notice (I do understand you had to contain the compromise, roughly analyze the attack, determine and fix the vulnerability before announcing it), but surely I appreciate it very much.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.

Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.

This would not be a problem (for other sies) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing (http://www.h-online.com/security/features/Storing-passwords-in-uncrackable-form-1255576.html) and try to come up with an implementation for SMF.

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.

Now this brings up the question of how to prevent such issues in the future.

The obvious answer is that users, but even more so admins, must use proper password hygiene. Password generators which create highly random passwords are not a recent invention, password reuse is and has been a no-go area for a good while.

But there's more to it.
It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.
We need better password hashing, as discussed above.
Also rate limiting on authentication requests is a really good idea. Logins could be combined with captchas for added security. You could then also require a password reset (by e-mail) if a login failed three times in a row (without a CAPTCHA this opens you up to a DoS condition where anyone can lock out another user where he knows the username).

And when a compromise took place, it should be really simple for the admins to initiate and enforce a site-wide password reset on all existing users, by invalidating all passwords and making users go through an e-mail based password reset. That's what we're doing for forum.megaglest.org currently, but it seems to be not exactly a straight-forward process with SMF 2.0.4 (http://www.simplemachines.org/community/index.php?topic=508437.0), and a couple more questions came up along the way.

SMF has a built-in login limiter, or how you'd want to call it. After my password changes I came across it quite a few times :P

Quote
That's a bit of a late notice (I do understand you had to contain the compromise, roughly analyze the attack, determine and fix the vulnerability before announcing it), but surely I appreciate it very much.

Late? :)
It was announced within 16 hours after the compromise was found, which is extraordinary fast.
Looking at comparable hacks, some companies take multiple days, even weeks or months befor they inform their users *if* they inform their users to begin with.

If there's anything we did well in my opinion, it was the speed wherein the announcement was made. :)

Quote
Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

Nope.

Quote
This would not be a problem (for other sies) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing and try to come up with an implementation for SMF.

Debatable. The problem is that if the method of how the hashing is done is known (which isn't too hard to find out with opensource software), you can still start generating insane amount of hashes to compare with. If anything, you delay the inevitable.
Of course, the stronger the password indeed the more impossible it becomes with such methods of hashing and you can greatly minimize certain risks... With a catch:
The problem is that most people *don't* use strong passwords. No matter how you hash, if the method is known, simple passwords are still quite easy to crack. That's the biggest issue with the end users in my opinion.

But yes, anything can be made more secure. :)
The problem is that even if you do, all you do is make it take extra time to decrypt; but there's no single guarantee that it will be impossible to decrypt it. Now the current method is "outdated", now you make a new one and in two years hardware has advanced so much that the new method is considered obsolete because the hardware can brute so fast it doesn't matter anymore.

It was an interesting article to read for sure, though. Thank you for sharing :)

Quote
It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.

Yes, that's childplay. Either by session stealing or sniffing.
SSL encryption is actually being worked on enabling here.
Not that it's relevant to the hack at hand.

And no, it's not easy to force passwords resets.

Myself, I'm very much in favor of two-factor authentication. Surprised you didn't mention it as possibility. ;) Much more secure than anything else.
Unfortunately it may lead to inconveniences, though for high-profile account (such as admins), it should be considered a necesarry evil good.

will someone explain to me
WHY
for 3 days ya'll been posting about this
and only just minutes ago
i get a email warning to change my passwords?

.
.
.
.
.

Because you are user number 276199.  The server is working all out sending the announcement email but it still takes time to send nearly 300,000 emails.  Hopefully I will get mine sometime tomorrow then, since I'm user number 325731  ;)

Emails can get lost or shuffled to the wrong address, or routers along the way have issues and transmittal is delayed, or... or... or...

"The Internet" is quite a fragile web, with a wide assortment of dangers that can cause errors, redirects, dropped packets, etc....

There is much opportunity to learn in this current breach, and in this thread as well.

Anyone who is not subscribed to this BOARD via "Notify" system, as well as via the profile setting to allow "SMF Important Announcements" by email is reducing their of getting a timely HEADS-UP. Oh, and if the email address used here at SMF is not a member's primary email, it may take a while for them to check the email address they used for SMF, unless there is a redirect in place to route it to the primary email client.

The time from intrusion to notification in this case was phenomenal.
                     Job well done SMF Team~!

no wonder the hackers and spammers stay ahead

Of course they do.

They do with Windows, virii/viruses, with everything.

Until someone works-out that there's an opening and exploits it, most people won't even know it exists.

It's not just on the net, either. Nothing, in real life, is 100% secure, either.

But, particularly on the net, as I said, earlier, anyone who believes anything is 100% secure is 100% deluded.

Quote from: ARG on July 26, 2013, 11:47:00 AM

Quote from: DragoN_SAMP on July 26, 2013, 11:40:39 AM

Quote from: ARG on July 26, 2013, 11:06:13 AM
Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

I am not saying that. Where exactly did I say that? It's just funny that non-active members come here to complain only when an issue arises. They act as if they know the facts by reading the first post of a topic and don't bother to read through the entire thread. If they did then they would more than likely have a different opinion. Pure laziness shows ignorance.
My point is, if you don't know the facts then stop acting like a little schoolgirl that just had her hair pulled on the playground.

[Bolding mine.]
ARG, although I understand your frustration after reading every last post in this thread, a frustration I share, I do have a request. As a woman I find the put down of another and their immature behavior equated to how a girl or woman would act if injured to be quite offensive. I imagine a little schoolboy who had just had his hair pulled would be upset also. Sexism doesn't become you. You are right, however. The whiners need to grow up and get a life.


I got the notification this morning in my spam box. Why their system thought it was spam, I cannot say. I marked it as not spam and read it, then came here and checked out the thread. Although I did read over half the thread this morning, I had things to do and could not come deal with this issue until now. I don't know what password I used here previously, so now it has been changed.  ;)

I want to thank the powers that be for all their hard work in dealing with this frustrating situation. I know you all have put in a tremendous of amount of work and effort to deal with this breach and I greatly appreciate it. The fact that the notifications started going out only 16 hours after the breach was found is pretty amazing. That is quick work! Thank you for being so quick to let your users know there was a problem. You all rock. :)

Thanks, Ambrosia.

I read that as "Girls tend to have louder, more piercing screams than men do", which they do, generally.

But, of course, I may be biased, being a mere male. ;) (Despite what my gender icon says-Long story)

Point taken, though.

That's how I read it too K@ (and my gender icon is correct  ;) )  Also at my school the boys would have been more likely to react to such a taunt with a punch in the face than a screaming fit.

Come to think of it, so would the girls...   ::)

QuoteARG, although I understand your frustration after reading every last post in this thread, a frustration I share, I do have a request. As a woman I find the put down of another and their immature behavior equated to how a girl or woman would act if injured to be quite offensive. I imagine a little schoolboy who had just had his hair pulled would be upset also. Sexism doesn't become you. You are right, however. The whiners need to grow up and get a life.

OMG! It's a simple, very well know and often used figure of speech. Get over it. That said, I will part ways with this thread as attempting to argue my point with forum trolls is nearing the point of exhaustion.

Ya'll have a nice day.


Gee, hope that I didn't offend anyone with that statement.  :o

Quote from: ChalkCat on July 26, 2013, 04:40:43 PM
That's how I read it too K@ (and my gender icon is correct  ;) )  Also at my school the boys would have been more likely to react to such a taunt with a punch in the face than a screaming fit.

Come to think of it, so would the girls...   ::)

Ah, but I went to a good ol' Grammer/Technical school.

We were all gentlemen (Even the ladies!)




...and if you believe that.... ;)

Ambrosia,

Please keep in mind that if you're unsure which password you used and you might suspect you used the same password elsewhere: you should change the password at the other sites were you used it.
That will prevent any possibility for your site to get compromised.

Thanks :)

Heck, if you're not sure if the same password is used on SM.org and other sites, a good tip I can give is: Change them all anyway! :P

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
Late? :)
It was announced within 16 hours after the compromise was found, which is extraordinary fast.
Looking at comparable hacks, some companies take multiple days, even weeks or months before they inform their users *if* they inform their users to begin with.

If there's anything we did well in my opinion, it was the speed wherein the announcement was made. :)

I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

16 hours would be really good indeed. How did you measure it?

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

Nope.

Hmm, well I'm sure you have your reasons, and it's surely the admin teams' decision, not that of anyone else.
On the other hand I am now more concerned than before, which always happens when decisions are taken which at first hand seem bad, and no explanation is given to back them up (I haven't read the entire thread, though, so I may have missed it).

Quote
This would not be a problem (for other sites) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing and try to come up with an implementation for SMF.

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
Debatable. The problem is that if the method of how the hashing is done is known (which isn't too hard to find out with opensource software), you can still start generating insane amount of hashes to compare with. If anything, you delay the inevitable.

Yes, and that's exactly what encryption and hashing are all about. Delaying the inevitable so much that it won't bite you for the next couple of years, or better, decades. You can attack every hash mechanism, every encryption, but if it would take more resources than are practically available within a short enough time frame, these attacks become irrelevant (for the time being), and an attacker will move on (to lower hanging fruit on the same or a different application / server).

The fact that the hashing mechanism is known is not much of a problem. History has shown that closed-source hashing mechanisms are often cumbersome and this is actually why NIST has chosen to switch to a fully open design and implementation contest for hashing mechanisms - the SHA series of hash functions are the very result of it, and while SHA-1 has a couple open wounds now and the SHA-2 family members have their first scratches (some deeper, some, less), SHA-3 has been the largest contest so far, bringing a lot of good candidates to light (which may also be used as alternatives to SHA-3). So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
Of course, the stronger the password indeed the more impossible it becomes with such methods of hashing and you can greatly minimize certain risks... With a catch:
The problem is that most people *don't* use strong passwords. No matter how you hash, if the method is known, simple passwords are still quite easy to crack. That's the biggest issue with the end users in my opinion.

It's true, most people continue to choose weak passwords. There are some counter measures to it, some of which are implemented in SMF, such as password policies (though there is room for improvement there, too - we have actually worked to improve this feature for our SMF install lately, and I hope we'll be contributing the resulting code back to SMF soon). But ultimately it's a problem which seems impossible to fix, and it's a matter of much debate. Nevertheless, just because many will happily decide to set weak passwords, or to reuse passwords, this doesn't mean that you should not make it possible to have better security for those users who do care. And much can be done about hashing (http://www.h-online.com/security/features/Storing-passwords-in-uncrackable-form-1255576.html) in SMF even if you continue to provide PHP backwards compatibility (a noble approach), such as making the hash function selectable, or choosing it at installation / upgrade time (which would involve a sitewide password reset) based on what's available then.

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
But yes, anything can be made more secure. :)
The problem is that even if you do, all you do is make it take extra time to decrypt; but there's no single guarantee that it will be impossible to decrypt it. Now the current method is "outdated", now you make a new one and in two years hardware has advanced so much that the new method is considered obsolete because the hardware can brute so fast it doesn't matter anymore.

It was an interesting article to read for sure, though. Thank you for sharing :)

Happily, and thanks for reading it. About the outdating hash functions, again making them selectable can be an option there (but you will point out that a password hashing mechanism can consist of more than a hash function and this may need to change over time, too, and I would agree).

Quote from: CoreISP on July 26, 2013, 02:58:21 PM

Quote
It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.

Yes, that's childplay. Either by session stealing or sniffing.
SSL encryption is actually being worked on enabling here.
Not that it's relevant to the hack at hand.

I'm glad to hear SSL is being worked on, I think this would be a major improvement for this installation (and thanks for confirming the password was not stolen this way).

Quote from: CoreISP on July 26, 2013, 02:58:21 PM
And no, it's not easy to force passwords resets.

Myself, I'm very much in favor of two-factor authentication. Surprised you didn't mention it as possibility. ;) Much more secure than anything else.
Unfortunately it may lead to inconveniences, though for high-profile account (such as admins), it should be considered a necessary evil good.

I agree about its use for admin accounts. The reason I didn't bring it up is that I also like to keep the amount of user profile information collected to a minimum and to continue to provide an option for pseudonymity - you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised - which can work, or not, or something TPM based, but this won't help much there either (and TPM is not universally available and also has its very own privacy issues).

That said, multi-factor authentication is usually the way to go, where it's an option, and it'd be great to have SMF support it (as an option).

---

Edited to add:

Those of you wondering about how to get way from password reuse, and are using Firefox and its password store, please have a look at these fine add-ons:
Password Reuse Visualzer (https://addons.mozilla.org/en-us/firefox/addon/password-reuse-visualizer/)
Saved Password Editor (https://addons.mozilla.org/en-us/firefox/addon/saved-password-editor/)

Those add-ons and an hour of your time is all you need to get back on par with current password security. Maybe a good key generator like that of keypass would make another good addition, depending on the password scheme you use.

Anyone who is wondering about how to improve their password hygiene may want to take a look at this great article on this very topic:
http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html

Quote from: CoreISP on July 26, 2013, 05:37:28 PM
Ambrosia,

Please keep in mind that if you're unsure which password you used and you might suspect you used the same password elsewhere: you should change the password at the other sites were you used it.
That will prevent any possibility for your site to get compromised.

Thanks :)

I will. I think I have changed almost all of my passwords in the last year from other sites getting hacked anyway. :D

Cheers!

I'm starting to get a bit worried now. SMF wasn't the only major website attacked this week. Apparently Ubuntu Forums, and a major UK webhost known as "OVH Systems" were also breached:

http://ubuntuforums.org/announce.html
http://forum.ovh.co.uk/showthread.php?t=6699

I'm beginning to wonder if the attacks are related. I know thousands of websites around the world are always being attacked...but to have three major ones hit within days of each other and have similar data stolen is a bit surprising.

*anything* is possible... take a look at this ATM hack:

http://www.youtube.com/watch?v=WZF4CnMCEsY

:D

Did you even bother reading the whole message?  We already noted that several of these attacks are pretty certainly the same individual or group...  And used the same attack vector of shared passwords.

Quote from: Kindred on July 26, 2013, 09:25:44 PM
Did you even bother reading the whole message?  We already noted that several of these attacks are pretty certainly the same individual or group...  And used the same attack vector of shared passwords.

I'm well-aware of that one, (although I cannot speak for the guy who posted after me). I'm just a bit worried because of the timing between the three sites.

Also, if I'm remembering the original email announcement correctly, the user's password was stolen from another website where he used the same one, which was hacked. Given what has happened to Ubuntu and OVH Systems, it's a bit worrisome. Obviously they are likely not related, but it begs the question of "what if they could be".

Sugar, obviously you are not aware... or not reading closely enough.

YES! WE ARE FAIRLY CERTAIN THAT THE HACKS ***ARE*** RELATED. The hacks seemed to use the same vector with the same goal (acquire the memberlist and passwords)

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

You may want to count again.  The initial post says the 22nd and this was posted on the 23rd (according to my timezone offset).  The fact you didn't get the email yet or took a while to receive it is something beyond our control.  In fact, I got the initial report as well and I can confirm for in fact that 16 hours is accurate.  There are plenty of sites out there that will help you brush up on first grade math.

I am sure a intelligent person such as yourself knows and understands mass mailing and how it works.  I am sure you understand that services like Google, Yahoo, Hotmail/Outlook do not give a hoot when you are not a large site and they see you sending hundreds of emails to them in a short time period, will think its spam regardless of the contents of the email.  I am sure you understand some people say "I don't want this" and click spam/junk/bulk and after enough can cause a IP to get blacklisted.  I am sure you understand what stress mass mail puts on servers.  I am sure you deal with this all the time for multiple people, setup firewalls, configure spam filters, manage servers and know the ins and outs of how the email goes from start to finish at the lowest levels of the OSI model.  I sure know all of this because its what I do every day and have to understand it, because when I don't, somebody doesn't get their mail, can't get to the "internet" or google blacklists their ip and makes it near impossible to get off the blacklist.

Thank you and have a good day.

What sort of encryption algorithm were you using?

we use the standard SMF database structure. Please read the previous pages for a full discussion on why the encryption really doesn't matter anyway.

Thanks for the heads up everyone :)

Two things spring to mind after wading through all the responses to this topic.

First, looks like this has cleared out a bit of dead wood from SMF and that can only be a good thing. :-X Get rid of those that think they are far superior to the rest of us mere mortals ;)

Second, a huge thanks to all the admins and other SMF team members for their awesome patience in dealing with some really, really, really stupid comments and responses.

And to the admin whose password was compromised, s**t happens. I am sure I have made way worse mistakes than this and yet amazingly here I am!

Take it easy and thanks again.

Chris

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

16 hours would be really good indeed. How did you measure it?

Counted from first alert to when the mails first started being sent out. Due to various factors that are beyond the control of this site, we can't send all 300000 messages at once. It takes a bit of time to push that many messages out.

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

If anything, SMF would probably move to something like bcrypt (http://en.wikipedia.org/wiki/Bcrypt), PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2), or scrypt (http://www.tarsnap.com/scrypt.html).

Personally, I'm in favor of PBKDF2 as it's had a lot more scrutiny and comes from RSA. The problem is compatibility issues. For anything fancy, you'll need PHP 5.5 or newer. There is a compatibility library that allows bcrypt on older PHP versions, but it's 5.3.7 and newer only. There are a lot of hosts on older versions (RHEL/CentOS 6 are only up to 5.3.3, and I don't know if the bcrypt flaw was patched in their packages).

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised

Not necessarily. Something like Google Authenticator would work well. It's based on RFC 6238 and there are plenty of open and closed software products that implement it on desktop software and mobile devices.

At some point you have to trust you have done enough. Might I note that RSA had a breech of their SecurID database a while back, exposing the seed data for their customer's hardware tokens for customers who chose for RSA to retain that data.

Quote from: Secretmapper on July 26, 2013, 10:30:32 PM
What sort of encryption algorithm were you using?

SMF currently uses a salted SHA1 hash for passwords. It's not the best option, but it works with all the PHP versions SMF supports. It was also a pretty good choice when SMF switched to it and away from the older MD5 method.

The fact that this topic exists for all to see has a lot of merit for the administrators of SMF. A lot could have been swept under the rug, as in, this topic and the subsequent email could have never been sent and most if not all of us would have never been the wiser. Yes, the situation sucks. It would/might have happened to any site. Better to stand up and be counted in terms of integrity than to live in ignorance. Nice job, SMF, for being up front and honest. Kudos to you. :)

That's bad, glad i changed mine

Does this affect all forums that are powered by SM?

Quote from: lynngtx on July 27, 2013, 05:01:53 AM
Does this affect all forums that are powered by SM?

Nope, just this one was breached. If you use the same password here, and on other sites, you'd be best changing them.

Thanks for letting us all know, the email was quite well crafted to put it in a way for most audiences to understand. Shame it took a while for the email to get to me, but I understand the reasoning behind that (as has been discussed above), so I won't hold it against you!

Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

Woohoo!  I just got mine  :D

Quote from: ChrisNSF on July 27, 2013, 05:32:16 AM
Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

Read some of the posts above yours for an explanation of the basics of how servers handle emails.

Quote from: ChalkCat on July 27, 2013, 05:36:53 AM
Woohoo!  I just got mine  :D

Quote from: ChrisNSF on July 27, 2013, 05:32:16 AM
Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

Read some of the posts above yours for an explanation of the basics of how servers handle emails.

Read a few posts up the thread before posting? That's not my style ;)

So I assume that, after taking the actions in the e-mail, and one's forum seems hunky dory, we're probably good?

And the e-mail was well-worded. I'm computer illiterate, so it was nice that I could read it without it resulting in my sobbing in the corner of the room saying "I don't know what to do!!!"  ;D

Just got an email too from here...
Sad thing that are idiots, jerks, assholes etc etc who wants destroy other people things...
As I am a member who "never" visit here, I don't care much about my password. It's just 1 password for this site, and nothing more.
I use only 1 password pro forum/site.. But like I sad, it is sad..

Thank you for the email.... Good luck!

Cheers for the notification.  Wish people would stop blaming everyone else but themselves though.  This is a forum, with no sensitive info collected.  If your own password etiquette is poor, then you have only yourself to blame.   ****** happens, and frankly, can't really expect every non profit site on the web to have an ssl, unless you'd be willing to pay for it as part of being in the community.   

If you do things right, then you have nothing to worry about, breach or not; there is no need to blame someone to make yourself feel better ;)

The key question is. How to try to prevent this in the future?
Perhaps this  modification/script (https://github.com/emanuele45/Force-New-Password) with some customization to do may be suitable for this purpose, so that admins and team members are forced to change (date of expiry provided) their password on a regularly base ,it is clear and it is shown that this group in this particular case seems to be the weakest link.

Just a personal thought

Quote from: ChrisNSF on July 27, 2013, 06:01:27 AM

Read a few posts up the thread before posting? That's not my style ;)

So I assume that, after taking the actions in the e-mail, and one's forum seems hunky dory, we're probably good?

And the e-mail was well-worded. I'm computer illiterate, so it was nice that I could read it without it resulting in my sobbing in the corner of the room saying "I don't know what to do!!!"  ;D

At least you're honest about reaching straight for the reply button  :laugh:

Yes, if you have followed the instructions in the email the hack shouldn't affect you.  Our hacker is on a password gathering-spree with the aim of manipulating re-used passwords to gain access to other sites and repeat.  As long as your passwords have been changed and not reused elsewhere then you should be fine.  Also note that any login information shared via PM and secret questions/answers stored in your profile should also be considered compromised and changed here and anywhere else you may have used the same data, because we are working on the safest assumption that the hacker acquired the whole database.

Forcing password changes every x days is a sure way to make certain that people use insecure passwords.

I changed my password. Thank you.  8)

"This is !!NOT!! a security issue with the SMF software."

Indeed it is. The problem is that the admin page of SMF allows to download database dumps. In my opinion, that's a hole which cannot get any bigger. Why do you have this feature at all? Backups should be done separately (e.g. by a weekly cron job on your server, or directly through the web hosting provider, or ...). It's not a task of the forum software, despite the fact that most forums offer it. Think about it! Don't put convenience over security.

BTW: I almost need 5 or more attempts for your verification image. Very annoying :)

oh, for the love of gods....

You didn't even bother to read the thread, did you?
We've already discussed this, SEVERAL TIMES.
The hacker did not access the database through the SMF database backup function.

I'm afraid I am not well versed in using my forum site so this information has me asking the following question: what does this mean exactly?

First, you use the acronym "PM" what is that?  I'm pretty sure I haven't shared any passwords so I must not have shared them via "PM" but I'd like to be sure.

Second, what user database was hacked?  Just the one with my admin login to my forum, the user database that I just used to log into this forum site, does it include all the users of my forum?

I'm not sure to what extent I have to react to this.

I have changed the admin password on my forum site but don't know if I have to do more.

Please advise.

Hi Nomae, PM refers to the personal messaging system  :)

As long as the admin password you use on your forum is different from the one you had used here, your forum and your users should not be affected.  It's always a good idea to change the password anyway though  :)

The database HERE on simplemachines.org was hacked.

If you do not use the same password on any other site, then the only thing you need to do it change your password here.
If you DO use the same password across multiple sites then (first, naughty user) (second, change your password on all sites which you previously used a shared password -- and don't share the same password between multiple sites again)


Your own database and site was untouched (by this specific attack)

Would surely also involve team members in this case

Team members have access to some private section of a forum, seems to me you don't want to find items from this private section up on the street, when the login details of team members being hacked

 :-\ unfortunately i never use same password for multiple sites... even though from now i will change my password periodically ..  ??? 

Quote from: Kindred on July 27, 2013, 07:58:21 AM
Forcing password changes every x days is a sure way to make certain that people use insecure passwords.

Agreed.  My employer tried this... new password weekly.  It was HELL.  Especially since you couldn't use your last 15 passwords or some such nonsense...

I got my email... 3:24AM this morning... AND THIS HAPPENED BACK ON XX/XX/XX AND I AM JUST GETTING.... er... wait...

...nevermind.

;)

- D-Monga

LOL  :laugh:

How can I change my password?

^--- there's always one.

Quote from: cmre on July 27, 2013, 12:03:57 PM
How can I change my password?

In your profile under account settings

Kinda glad that I used my "cheapest" password for this forum now.


On a related matter, I despise forums that try to force complex passwords on users. Numbers and letters? NOT GOOD ENOUGH! It must be uppercase letters, and at least a symbol too. I mean, give me a break, this isn't like national security or something, it's a simple website run by John Doe, and they're probably dumping my password into their database either plain text, or SHA hashed - an algorithm that's been designed to be as fast as possible, so an attacker can try millions of passwords a second. Few people use proper password hashing functions, such as bcrypt.


Anyway, glad that at least SMF didn't force that on us. That way I could use a simple password, which I don't care about, but that I'll change anyway.


_{Usually if some random site forces me to use upper-case, lower-case and numbers, I use 'Password123'. It has all of that, so it just GOT to be great, right guys.
PS.: 12:12:12 get !}

Quote from: FrizzleFried on July 27, 2013, 11:10:33 AM
Agreed.  My employer tried this... new password weekly.  It was HELL.  Especially since you couldn't use your last 15 passwords or some such nonsense...

Use whichever password you would use, and add week of the year, and the year itself to it. BAMM - insta-secure!

Quote from: Kindred on July 27, 2013, 09:05:16 AM
oh, for the love of gods....

You didn't even bother to read the thread, did you?
We've already discussed this, SEVERAL TIMES.
The hacker did not access the database through the SMF database backup function.

That's the way I interpreted the email as well and I'm definitely not going to read 19 pages of posts.

On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

Much appreciation for the heads-up. Our two websites have multiple Administrators (all trusted) and we lost one of our SMF sites for two weeks. It was not clear what the problem was, but it appeared to be within our server.

I posted your e-mail for all members to see on both sites.

Quote from: tobyfAnyway, glad that at least SMF didn't force that on us. That way I could use a simple password, which I don't care about, but that I'll change anyway.

The regular users is not the group to which I referred

Quoteadmins and team members are forced to change (date of expiry provided) their password on a regularly base ,it is clear and it is shown that this group in this particular case seems to be the weakest link.

doesn't matter if your target only a limited group or everyone - forcing time-limited passwords results in many more insecure passwords than otherwise.
Additionally, it doesn't stop the user(s) from changing the password here and then making all their other passwords to match...
So, you suggestion is essentially pointless. Sorry.

Policy and education works more effectively than programmatically forcing users (or even just admins) to "comply"

Quote from: tobyf on July 27, 2013, 12:12:12 PM
they're probably dumping my password into their database either plain text, or SHA hashed - an algorithm that's been designed to be as fast as possible, so an attacker can try millions of passwords a second. Few people use proper password hashing functions, such as bcrypt.

Just so you know, SHA1 was the best choice at the time. Yes, technology has caught up to make SHA1 less than ideal for anything but checksumming. However, PHP's bcrypt implementation had security flaws (http://php.net/security/crypt_blowfish.php) until 5.3.7 and the password_hash function using bcrypt didn't exist until 5.5.0. SMF 2.0 predates those PHP versions.

Ah spit, not another one  ::)

Re the Ubuntu hack: from the alleged hacker    www.twitlonger.com/show/n_1rlft0d

And on the practicalities: a recent answer elsewhere     security.stackexchange.com/questions/12994/whats-the-practical-limit-for-rainbow-table-based-bruteforce

Excuse the non-active links - I'm new here.

Quote from: 青山 素子 on July 27, 2013, 12:40:19 AM
Counted from first alert to when the mails first started being sent out. Due to various factors that are beyond the control of this site, we can't send all 300000 messages at once. It takes a bit of time to push that many messages out.

Yes, good point, I guess that if you wanted to send out that many e-mails within a shorter period it just requires resources the typical free software project doesn't have access to. MegaGlest, which I contribute to, is in the same situation, though on a lower scale; we rely a bit on the infrastructure sourceforge.net provides, though, which, while attaching (sometimes ugly) sponsor messages, is free of fees, nice and stable most of the time. I also didn't realize it's that many, apologies for the ignorance.

Quote from: 青山 素子 on July 27, 2013, 12:40:19 AM

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

If anything, SMF would probably move to something like bcrypt (http://en.wikipedia.org/wiki/Bcrypt), PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2), or scrypt (http://www.tarsnap.com/scrypt.html).

Personally, I'm in favor of PBKDF2 as it's had a lot more scrutiny and comes from RSA. The problem is compatibility issues. For anything fancy, you'll need PHP 5.5 or newer. There is a compatibility library that allows bcrypt on older PHP versions, but it's 5.3.7 and newer only. There are a lot of hosts on older versions (RHEL/CentOS 6 are only up to 5.3.3, and I don't know if the bcrypt flaw was patched in their packages).

Thanks for explaining how much consideration goes into this, I guess this gives a better impression of why something more modern hasn't been implemented, yet. I'd still love to see some mechanism which leaves the ultimate choice to the site admin, but I do see how this involves even more work, and maybe too much. Surely those (fixed) options you discussed sound pretty good, and are not homebrown at all (which will be good).

Quote from: 青山 素子 on July 27, 2013, 12:40:19 AM

Quote from: tomreyn on July 26, 2013, 06:02:27 PM
you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised

Not necessarily. Something like Google Authenticator would work well. It's based on RFC 6238 and there are plenty of open and closed software products that implement it on desktop software and mobile devices.

At some point you have to trust you have done enough. Might I note that RSA had a breech of their SecurID database a while back, exposing the seed data for their customer's hardware tokens for customers who chose for RSA to retain that data.

Yeah, I read about it, quite the worst case incident.

Google Authenticator should be a good multi-factor authentication option indeed, I hadn't thought of that, good point there.

Anyways, I'm glad to know that there are so considerate developers in SMF, it makes me think we made the right software choice after all. And I appreciate the development + support team's work, thanks everyone!

Quote from: tomreyn on July 27, 2013, 02:38:45 PM
Thanks for explaining how much consideration goes into this, I guess this gives a better impression of why something more modern hasn't been implemented, yet. I'd still love to see some mechanism which leaves the ultimate choice to the site admin, but I do see how this involves even more work, and maybe too much. Surely those (fixed) options you discussed sound pretty good, and are not homebrown at all (which will be good).

SMF might switch to something more complex very soon, assuming hosts upgrade. The problem, of course, is that long-lived popular server distributions like RHEL/CentOS are still using PHP 5.3.3 in their latest stable releases. What they are doing makes sense for them, but it does make it a bit tough when one wants to use newer functionality. (Luckily, there are repositories like IUS that help.)

There are plenty of good solutions out there, the problem is compatibility.

Quote from: tomreyn on July 27, 2013, 02:38:45 PM
Anyways, I'm glad to know that there are so considerate developers in SMF, it makes me think we made the right software choice after all. And I appreciate the development + support team's work, thanks everyone!

Just to note, I'm not a developer on this project.

Gracias por la info simplemachines! Es una lastima esta noticia, una consulta, existen mayor riesgo en usar la version 2.0 rc5? Que dios nos ayude.

wow. If you are running 2.0RC5, you need to upgrade ASAP. This specific hack instance was not related to any security issue in the SMF Software... however, there have been NUMEROUS security fixes in the 5 versions between 2.0RC5 and 2.0.4

Kindred this user has just begun converting from vB 4.2, so he may have no choice but to land on RC5 (I haven't looked into the converters).

samrfactor, una vez que tengas hecha la conversión de vB debes mejorar tu versión de SMF a la más reciente, 2.0.4, para asegurar la seguridad de tu foro.  RC5 es viejísimaaaa ;)

Quote from: a10gf on July 26, 2013, 07:59:26 PM
*anything* is possible... take a look at this ATM hack:

http://www.youtube.com/watch?v=WZF4CnMCEsY

:D

Barnaby Jack the researcher who had shown proof of concept for ATM hack just passed away
http://news.cnet.com/8301-1009_3-57595776-83/atm-hacker-barnaby-jack-dies/

Just FYI is all...

I'm curious to know what encryption method you guys are using.

Example;
MD5
SHA1
Blowfish
BCrypt

On a site I'm working on, I encrypted my passwords like so: sha1(md5(sha1(mysql_escape_string(htmlspecialchars(stripslashes(strip_tags($_POST['password'])))))))
When I attempted to decrypt the passwords, they were either not found, or appeared as another encryption. And the others are to prevent SQL injection.

Also, using PDO is very important as it's more secure than using mysql_* and mysqli_* functions.

We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure.

Using nested encryption methods will just slow things down for the hacker.

Quote from: neothemachine on July 27, 2013, 08:59:03 AM
"This is !!NOT!! a security issue with the SMF software."

Indeed it is. The problem is that the admin page of SMF allows to download database dumps. In my opinion, that's a hole which cannot get any bigger. Why do you have this feature at all? Backups should be done separately (e.g. by a weekly cron job on your server, or directly through the web hosting provider, or ...). It's not a task of the forum software, despite the fact that most forums offer it. Think about it! Don't put convenience over security.

BTW: I almost need 5 or more attempts for your verification image. Very annoying :)

1. Let's just remove all admins then. Everything they can do is dangerous to the forum!!!
/sarcasm :P

2. If it took you five attempts, then you keep making typos. That is a security feature itself. You just said we should remove a feature for security reasons, but you're complaining about another which provides some from spam attacks. Come on man, you can't have it both ways...

---

@ All SMF Devs: Thank you guys. Although I'm still a bit worried due to the massive number of similar attacks happening worldwide on the internet right now which could be related, it's nice to see that you guys indeed stepped forward to notify people, despite the bad image it may portray to some. That is honorable above all, and you have my respect for it. Trusting you guys with my data is one of the major reasons why I prefer your software over many others. At least I know I can be confident that you'll do everything to keep it safe, even when I'm hosting the forum software on my own website itself.

I, for one, appreciate everything you said, there, matey!

Quote from: Yoshi on July 27, 2013, 04:28:56 PM
We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure. Salting the SHA1 password *should* make it more secure.

Using nested encryption methods will just slow things down for the hacker.

SHA1 itself is not completely secure, there are websites that offer to decrypt SHA1 passwords.


$salt = rand(1000000,99999999);
$hashed_pwd = sha1($password . $salt);


Quote from: K@ on July 27, 2013, 04:47:37 PM
I, for one, appreciate everything you said, there, matey!

And I appreciate all the work you guys do, so thank you too! :)

We enjoy it! (Most of the time)

I guess we're all masochists, really. ;)

Quote from: K@ on July 27, 2013, 05:09:45 PM
We enjoy it! (Most of the time)

I guess we're all masochists, really. ;)

Well dear friend, sometimes it takes hard work, sweat, and Hell on Earth to make dreams come true...but in the end, it's all worth the fight you put up for it. :)

It does, at that. :)

There ARE times when you think "******, this is doing my braincell in" and feel like giving it up, I have to confess. (Maybe it's coz I'm old and falling to bits, that) ;)

There's always some happy, sparkly person comes around, though, to cheer me up, again. :)

Quote from: K@ on July 27, 2013, 05:18:44 PM
It does, at that. :)

There ARE times when you think "******, this is doing my braincell in" and feel like giving it up, I have to confess. (Maybe it's coz I'm old and falling to bits, that) ;)

There's always some happy, sparkly person comes around, though, to cheer me up, again. :)

It's not just you man. It happens to everyone. The fact that you push through and keep going to reach your goals only proves further of how worthy you are to be making the project a reality. :)

Oh, I'm just a minion who tries to help people, when things screw up!

The people who do the REAL work kinda hide in cupboards, somewhere, clickity-clacking on keyboards...

:)

.... and occasionally demand cups of tea  :P

Every person who does their part makes this project great. :)

Quote from: Ddnhf on July 27, 2013, 05:01:25 PM

Quote from: Yoshi on July 27, 2013, 04:28:56 PM
We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure. Salting the SHA1 password *should* make it more secure.

Using nested encryption methods will just slow things down for the hacker.

SHA1 itself is not completely secure, there are websites that offer to decrypt SHA1 passwords.

Code Select Expand


$salt = rand(1000000,99999999);
$hashed_pwd = sha1($password . $salt);


Nothing is completely secure, which is the point.

More caffeine in coffee, though. They're probably on espresso triple-shots, by now.

Quote from: K@ on July 27, 2013, 05:55:13 PM
More caffeine in coffee, though. They're probably on espresso triple-shots, by now.

wow, they'd be shaking so much that they wouldn't be able to type!

Then they need more of me to balance them out while still giving them a rush! :D

Quote from: K@ on July 27, 2013, 05:55:13 PM
More caffeine in coffee, though. They're probably on espresso triple-shots, by now.

Hmm... So it is actually coffee that has caffeine???

I always told the waitress to add a little coffee to my caffeine...   :P

Quote from: tassie73 on July 27, 2013, 12:05:58 AMAnd to the admin whose password was compromised, s**t happens.

HUH???

Well first, I should said that I haven't had time to read all 21 pages of this topic. (I only got the email just now!)  But what I wonder (after I finish wondering why an admin was sharing a password in the first place) is why that admin didn't change his or her shared password when the other site was compromised?

As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

Quote from: xrunner on July 27, 2013, 07:07:39 PM
As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

That forum got hacked. This was a case of poor password care and usage.

brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Actually, tumbleweed, early evidence suggests that a similar method may have been used across multiple sites, including ubuntu.

Ubuntu is in process of changing forum software is what I heard.
That's why so long there.

Quote from: BurkeKnight on July 27, 2013, 07:22:38 PM
Ubuntu is in process of changing forum software is what I heard.
That's why so long there.

Ah OK that accounts for the delay.

Quote from: Kindred on July 27, 2013, 07:18:13 PM
brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Actually, tumbleweed, early evidence suggests that a similar method may have been used across multiple sites, including ubuntu.

I am still waiting to see some sort of report from sources about the multisite theory. Of course I am not in the loop of such things I just tend to visit sites whom main content is security. Right now the only one I know of is Ubuntu.

How do you find out if your forum was compromised?  Not implying that this relates to other SMF installs, but how did you find out?

i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

I fail to find how to change my community password here...
Is anybody else has troubles changing it?

Quote from: bluedragon2k9 on July 27, 2013, 08:14:07 PM
i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

LOL! So, what is all this data of yours that you believe is " floating around cyberspace"? Did you fail to read through this thread before commenting? Ignorance is bliss and it surly shows in this thread.

bluedragon2k9

If you bothered to read, instead of being rude and obnoxious, you'd see that this is NOT a security issue with the SMF forum.
This hack at this site originated at another site, and it just so happened that a user there is an admin here and used the same password.

Clean up your language and attitude.
If this was my site, you'd be banned by now.

Quote from: tumbleweed on July 27, 2013, 07:15:57 PM

Quote from: xrunner on July 27, 2013, 07:07:39 PM
As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

That forum got hacked. This was a case of poor password care and usage.

Ours was evidently hacked as well. Although you may find "cracked" a more preferable term.
And yes, multiple sites that were hacked are related to this.

And the Ubuntu forum is still down, so I was told, because it was ran by a third party and Canonical now wants to run it themselves to prevent (further) damage to their brand. (In the future) They want to ensure it's safe.

Quote from: bluedragon2k9 on July 27, 2013, 08:14:07 PM
i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

The only one that seems to be butthurt around here is you. Let it flow through you.

Anyway, a password being stolen from another community is not a flaw in the SMF software.
Although I think I'm wasting my time trying to explain anything to you anyway, judging by the way you write.

Quote from: spydercanopus on July 27, 2013, 08:03:01 PM
How do you find out if your forum was compromised?  Not implying that this relates to other SMF installs, but how did you find out?

If you're concerned you might be hacked, scan your home directory for recently changed files.
Anything that wasn't modified by yourself: check it out for suspicious code.

Hold up here. So SMF was cracked as well? (yes I do know the difference between both terms).

In the OG post I read.
Per your words CoreISP

QuoteUnfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.

Soo... which is the case? and did you mean "cracker" not "hacker?

Just trying not to be confused to what has occurred.

*fixed my poor choice of words*

In a way yes.
Assuming that the other site that was hacked had their passwords encrypted, the hacker would first have to decrypt that password ("crack") in order to use it to login here.

It's not like the server or site was hacked/cracked in the pure essence of the word, but the database of the other site allowed to crack the administrator's password and thusly obtain access here. Yet, now that it is our database that will be in the hands of whoever did it, it means that the passwords in our database are prone to such "cracking" as well now.

Bit confusing to explain, I know. :P
Hope this cleared it up though.

This might benefit most, not saying this will EVER keep you from being hacked, but I use different user names on various places, if it's a little bit the same, I would add characters or numbers to keep the hacker guessing.
It's just something I've always done... Just my 2 cents.

time to implent sha1,sha2 and sha3 combined :P

I just wanted to say:

I think CoreISP and the admins have done a great job.

The people giving him/them crud for the breach and how it was handled probably don't have a basis of understanding that qualifies them to make such comments in the first place. It's annoying to read.

So thanks CoreISP and gang! And I hope the rest of the fallout goes well. :)

Cheers

We are Secure :D

yes the team did a great job working on this one :P

Quote from: ChalkCat on July 27, 2013, 05:46:12 PM
.... and occasionally demand cups of tea  :P

Which you take hours to make.

:D

Thanks! :)

You all have surely done a great job,and kept the members well informed that deserves respect.

Just curious
How did you discovered that the database was hacked, were there any signs or indications that something was going on.

No comment at this time.

If you suspect you might be affected, do a scan on your homedir for recently changed files and check your admin profiles for weird IP's.
"find -mtime" is a example of a nice tool to use for finding modified files.

Quote from: CoreISPNo comment at this time.

Clear supposed the investigation is still ongoing................. thanks anyway for your explanation  ;)

Quote from: Kindred on July 27, 2013, 07:18:13 PM
brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Ooohh, I see.  Thanks for explaining that  ;)

edit - removed some unimportant ramblings  :laugh:

---

Quote from: evgueni on July 27, 2013, 08:16:31 PM
I fail to find how to change my community password here...
Is anybody else has troubles changing it?

1 - From the navigation bar, click on Profile > Account Settings.
2 - Type in your new password twice, in the space provided.  (Or copy/paste, for better accuracy.)
3 - If you set up a secret question for yourself (previously) you'll see that next, and you'll need to answer it.  (If you've never set one up, just skip that part.)  (Or maybe you'd like to take this opportunity to set one?)
4 - Then at the bottom, type your old password.  (Or copy/paste, for better accuracy.)
5 - If you normally use the forum in a non-Albanian language, be sure and set Preferred Language (near the top) to your language, before you click Change Profile.  Otherwise, parts of the site will show up in Albanian language.  (Guess how I learned that?!  ;D)
6 - Click Change Profile.

When the page changes, you should see little text that says your profile was changed successfully.

If this is still of any interest: I got the email today, about 10 hours ago.
I don't know my ID but this is probably a high figure as I joined about 1 month ago.

Sorry for what happened, we always learn from mistakes but, anyhow, hackers are always one step ahead - whatever we do.

Nobody is 100% secure on the internet and I find all those posts trying to blame someone really pathetic. If you want to blame somebody just blame yourself using the internet. Typing machines and faxes are still on sale in specialized stores. After purchase just use the "rollback 1 century" feature on your keyboard.

Quote from: dsl25Nobody is 100% secure on the internet and I find all those posts trying to blame someone really pathetic.

You are right about that,that makes no sense at all
But a little criticism is allowed here or not  ;) One off the most common database-related vulnerabilities is a poor password policy,like i said before passwords must be changed on a regularly base.Not everyone seems to agree but in my opinion certainly when you're in the group administrators and team members it's a must,this group is for a hacker more interesting than a regular user i think ?

Wondering which Admin very good

Quote from: incomviet on July 28, 2013, 08:04:48 AM
Wondering which Admin very good

All of them awesome, true story :P

Hi everyone,

First of all thanks for the info Core.

I still remember back in 2009, I was a moderator of pretty large sized website. When it got hacked the admin informed us secretly that the DB is hacked and we should change our passwords, moreover he/she told us not to transfer the news to other members.

Well looking at that incident and the current incident (what happened with SMF), its really a great gesture shown by SMF team by informing all of us and getting into discussion with its members. As a member this sort of transparency from the administrating team is really appreciable. Just my thoughts.

- Joker (without TM this time :P).

I received the mail yesterday, thanks for the info. For the SMF team, it's a pity that this has happened because they will lose trust of people who keep thinking it's a security problem in SMF even though it has been clearly stated that it isn't.

Yes, unfortunately some people will always choose to believe their own thing no matter what information is presented to them.  All anybody honest can do is exactly what the SMF team have done: provide factual, transparent and timely information.  How people to choose to receive that information is beyond our control  :(

Quote from: French on July 28, 2013, 06:39:56 AM
like i said before passwords must be changed on a regularly base.Not everyone seems to agree

Many prominent security minds disagree with your opinion:

Bruce Schneier says (https://www.schneier.com/blog/archives/2010/11/changing_passwo.html):

Quote
So in general: you don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.

Gene Spafford says (http://www.cerias.purdue.edu/site/blog/post/password-change-myths/):

Quote
The result is a stale policy that may no longer be effective...or possibly even dangerous.

Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

...

This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!    It is a "best practice" based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today's systems, especially in academia!

Steve Bellovin, in the magazine IEEE Security and Privacy writes (PDF) (https://www.cs.columbia.edu/~smb/papers/01588836.pdf) (Google Docs Viewer) (https://docs.google.com/viewer?url=https://www.cs.columbia.edu/~smb/papers/01588836.pdf):

Quote
Users have to remember too many passwords these days; if they're forced to change them too often, evasive behavior results. Password patterns—secret1, secret2, Secret1, Secret2, and so on—can't be detected unless cleartext of old passwords is stored (on yellow stickies or in plaintext files on insecure machines, for example).

Anne Adams and M. Angela Sasse in the magazine Communications of the ACM write (PDF) (http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1999/p40-adams.pdf) (Google Docs Viewer) (http://docs.google.com/viewer?url=http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1999/p40-adams.pdf):

Quote
Many users have to remember multiple passwords, that is, use different passwords for different applications and/or change passwords frequently due to password expiration mechanisms. Having a large number of passwords reduces their memorability and increases insecure work practices, such as writing passwords down—50% of questionnaire respondents wrote their passwords down in one form or another. One employee emphasized this relationship when he said "...because I was forced into changing it every month I had to write it down."

I think I'll trust the wisdom of the folks who have done computer security research for decades over some random person on this board.

Do feel free to cite resources to back up your opinion.

If you encode password in md5, sha-1, Do hacker can decode it ?

Quote from: giappaig on July 28, 2013, 01:30:29 PM
If you encode password in md5, sha-1, Do hacker can decode it ?

Yes, it can be decrypted.

Quote from: CoreISP on July 28, 2013, 01:53:24 PM
Yes, it can be decrypted.

But if your password has sufficient entropy, an ordinary pest like Sputn1k probably won't bother trying. For alphanumeric passwords of 12 characters or more, your cracker is more likely to work for someone with their own undersea lair or a seat on the UN security council.

Quote from: CoreISP on July 28, 2013, 01:53:24 PM

Quote from: giappaig on July 28, 2013, 01:30:29 PM
If you encode password in md5, sha-1, Do hacker can decode it ?

Yes, it can be decrypted.

To be accurate, the encryption (it's actually called a hash (https://en.wikipedia.org/wiki/Cryptographic_hash_function)) can be broken by finding something else that matches the hash. It can't be decoded in the sense of being able to reverse the encryption.

If you have a really strong password, it'll be more difficult for the hash to be broken for you. If you use a weak password, it'll be easier and faster. No matter what, it's a matter of time and you should be careful and change the password here.

Man, it took 3+ days before I got the e-mail about this.  But I have changed my password.  Don't think I used it on any other website.

Quote from: 青山 素子 on July 28, 2013, 02:20:49 PM
it's a matter of time

Potentially, millennia - though it's a reasonable precaution to change a password if the hash has been pinched. The more usual way to get hold of someone's login is in plain text off their own compromised machine.

Quote from: 青山 素子Many prominent security minds disagree with your opinion

In this case that's hard to believe .

QuoteUnfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.

The database of the SMF forum has been hacked because an administrator password has been cracked..........that' a fact.
No problem its history nothing more can be done about it.
But it was a result of poor password policy.

So tell me what's wrong if admins and team members passwords should being changed on a regularly base,in order to reduce the chance that this will ever happen again.

Quote
Potentially, millennia - though it's a reasonable precaution to change a password if the hash has been pinched. The more usual way to get hold of someone's login is in plain text off their own compromised machine.

Considering you can brute with billions of different hashes per second, it all depends on the password strength.
If you use a password like "redwinebottle", it's a matter of seconds to minutes.
If you use a password with 30 completely random characters, upper/lower case differences and special characters: it's going to be *a lot* more difficult.

Quote
So tell me what's wrong if admins and team members passwords should being changed on a regularly base,in order to reduce the chance that this will ever happen again.

Nothing if it's maybe once a year or so, but your comparison is wrong. In order to reduce the chance of this happening, it's not a matter of changing password regularly. It's a matter of not using the same password on different sites.
If the person that wants access doesn't know the hashed password, it's impossible to decrypt it and you'll have to brute force it on the server. (Which is a lot harder due to various reasons, if someone tries to brute force it with billions of attempts per second: the server will crash on the first second. In fact, the amount of data required to send so many hashes would probably already choke the network connection so it would be more a denial of service than a bruteforce attack...)

So, as long as different passwords are used on different websites, the only reason to change passwords would be if it's potentially obtained in another way.
BUT, if it's stolen from a computer, say due to the use of a keylogger, network sniffing or whatever: the password is instantly obtained and no matter how many times you change password: the hacker can obtain access right then and there.

Which leads to the question: what's the major advantage in changing it over and over again if you have a very strong password that you don't use elsewhere?

as I have said previously.. forcing users (even a limited subset of users) to change password leads to INSECURE passwords.
Since they have to change them, people user series or other easily remembered passwords instead of one, very secure password that they can memorize once....

Quote from: Tiny Clanger on July 28, 2013, 02:35:54 PM

Quote from: 青山 素子 on July 28, 2013, 02:20:49 PM
it's a matter of time

Potentially, millennia - though it's a reasonable precaution to change a password if the hash has been pinched.

Yes, with current technology. Unfortunately, technology seems to have a way of getting better and better at things. Also, sometimes flaws are discovered in existing cryptography methods that break hashes. New methods of analysis are being developed everyday by very smart people.

Quote from: French on July 28, 2013, 03:37:54 PM

Quote from: 青山 素子Many prominent security minds disagree with your opinion

In this case that's hard to believe .

Did you bother to check my references? I mean, Bruce Schneier, creator of PGP, Blowfish (used in bcrypt) disagrees with you. Gene Spafford, who analyzed the Morris Worm (the first Internet "virus") and is an adviser to the National Science Foundation disagrees with you. Steve Bellovin, a creator of USENET, creator of a few security protocols, and Chief Technologist at the Federal Trade Commission disagrees with you. So do M. Angela Sasse and Anne Adams, prominent security researchers.

Provide your credentials or some citations showing that you're right. I'm waiting.

I still have not received any announcement from SMF. This has happened before in the past to me. Curious if you can find any reason why Core. :D

Quote from: IchBin™ on July 28, 2013, 08:43:07 PM
I still have not received any announcement from SMF. This has happened before in the past to me. Curious if you can find any reason why Core. :D

It doesn't like you! :P
I'll try to check it out mate, it's not in your spam folders either?

Quote from:  CoreISPWhich leads to the question: what's the major advantage in changing it over and over again if you have a very strong password that you don't use elsewhere?

Okay you all convinced me ............ nice instructive and useful discussion,thank you all  ;)

Quote from: CoreISP on July 28, 2013, 03:57:29 PM
Considering you can brute with billions of different hashes per second, it all depends on the password strength.
If you use a password like "redwinebottle", it's a matter of seconds to minutes.

Actually redwinebottle is relatively resistant to brute force. It's susceptible to dictionary attack. (... I'll get my coat.)

Quote
If you use a password with 30 completely random characters, upper/lower case differences and special characters: it's going to be *a lot* more difficult

to remember  ;) (and a bit OTT even for a keychain)

see http://xkcd.com/936/

for a more human approach, though the example's a bit light on entropy. Or you can still use mnemonic phrases. I could think that SMF makes me think of Smurfs and I associate Smurfs with the Barron Knights' 1978 spoof of the Smurf Song: "Where are you all coming from? We're from Dartmoor, on the run." So my password would be (but isn't) BK78WayacfWfDotr, which is annoyingly memorable. It's nowhere near random, just humanly muddled, but it's long enough for muddled to be good enough, even with a fast hash. That is, it would last the time taken for admins to notice their db's been pinched and alert users, even if users then realise they've been a bit human and are using the same login elsewhere. (Don't need to worry too much about future technologies for present purposes.)

In the case of the Ubuntu hack, Sputn1k claims that cracking the passwords would be too much bother for the return. But with all those lovely email addresses, were I similarly minded, I'd go phishing.  :(

Quote
Actually redwinebottle is relatively resistant to brute force. It's susceptible to dictionary attack.

/me considers a dictionary attack as a way of brute forcing as well.
After all, it has to keep trying different words/word combinations.

Obviously you're entitled to your opinion  :) :), but they are distinctly different forms of attack, not least in resources required, and shouldn't really be conflated.

Quote from: CoreISP on July 28, 2013, 03:57:29 PM
Considering you can brute with billions of different hashes per second

That describes a brute force attack, but it's not the method that'll get you redwinebottle in a hurry.

/me shrugs
If you want to deny the similarities, be my guest. :)
Sure they are different type of attacks, doesn't mean they don't have quite a few things in common.

But actually, bruting a pass like that, if it's even actually required and there isn't a previously available hash for something simple like that, shouldn't take too long.

Quote from: CoreISP on July 29, 2013, 11:33:11 AM
If you want to deny the similarities

Now you know that's not what I was doing.  ;) I was showing that you were confusing the two.  :) ::)

Let's try a quick MD5 hash.  :) Hmm, not in the database I have to hand. Lets try ripping it. Nope, nope, gotcha - though I did know what I was looking for. Were I to feed it to the cat, on the other hand, it would potentially be chewing for a lot longer and/or at greater expense than you suspect. In this case it wouldn't be necessary because we've already caught it the easy way, but in general it wouldn't be attempted without a very strong reason to need that particular password.

Quote
I was showing that you were confusing the two.

No not really actually. It was you who made the link to dictionary attacks. I didn't say anything about that myself :P
"redwinebottle" was a simple example of a random simple password... Such a password will still be much easier to brute than say a password like this: "FIN6@,k;vUcf>I<*7dl54r~2401[XxEZ[-A{N". (That's the root password to nsa.gov! :P Before anyone gets their hopes up: it's a password I randomly created.)

Sure, a dictionary attack might be (much) faster to crack "redwinebottle" and less resource intensive, but that wasn't really what I was gaining at. I was merely pointing out what a simple password is and show an example, rather than picking the best method to crack such a password...
On a sidenote, "redwinebottle" has probably already calculated so many times that I doubt it needs more than a second to compare it with pre-calculated hash tables, heh.

QuoteConsidering you can brute with billions of different hashes per second, it all depends on the password strength.
If you use a password like "redwinebottle", it's a matter of seconds to minutes.

suggests a confusion between brute-force and dictionary attacks, and the explanatory assertion

QuoteCoreISP considers a dictionary attack as a way of brute forcing as well.
After all, it has to keep trying different words/word combinations.

confirms the confusion. The alternative explanation:

QuoteBut actually, bruting a pass like that [...] shouldn't take too long.

Well, we're not talking "seconds to minutes". There are different ways to estimate it, but for a flavour, see http://password-checker.online-domain-tools.com/ (It's not something you'd try in bulk.) Then try the dictionary-attack check.

Quote"redwinebottle" has probably already calculated so many times that I doubt it needs more than a second to compare it with pre-calculated hash tables, heh

I think salting has already been discussed, but see also https://crackstation.net/hashing-security.htm

Quote from: 青山 素子 on July 27, 2013, 02:46:58 PM
SMF might switch to something more complex very soon, assuming hosts upgrade. The problem, of course, is that long-lived popular server distributions like RHEL/CentOS are still using PHP 5.3.3 in their latest stable releases. What they are doing makes sense for them, but it does make it a bit tough when one wants to use newer functionality. (Luckily, there are repositories like IUS that help.)

There are plenty of good solutions out there, the problem is compatibility.

That's why I think the right solution is one where the admin(s) configure(s) the hashing mechanism to use, and where SMF upgrade scripts allow you to switch to a different one (by means of a site-wide password reset, a process which needs yet to be developed or documented in a secure fashion, too). Making this configurable is the only way you can keep both users of legacy and current software happy. And this issue of having to support both old and current versions, where only current versions provide sufficient security by contemporary standards, is not going to go away any time soon.

Quote from: 青山 素子 on July 27, 2013, 02:46:58 PM
Just to note, I'm not a developer on this project.

Thanks for pointing this out, I actually missed it.

Quotesuggests a confusion between brute-force and dictionary attacks, and the explanatory assertion

No, it does not... I already explained.

Quote
confirms the confusion. The alternative explanation:

Um, no... Absolutely not. Do you even read what I said?

Quote
I think salting has already been discussed,

Indeed it has been, but it looks like you missed a relevant part of that discussion in this very topic.



I'm kinda done discussing this with you as you keep putting everything I say in to a self made-up context pulled from thin air nor do you read well, I'm not going to play that game...
Have a good day and good luck. :)

Quote from: CoreISP on July 30, 2013, 11:29:07 AM
Do you even read what I said?

I have read what you wrote, as others will, and if they know what they are talking about they will conclude that you do not. Perhaps, when you have gained a little more experience, you will arrive at the same conclusion. I am not playing a game with you, just trying to cut through the specious bluster.

Kind of relevant - this in detail is how the they did the same to ubuntu - however it appears an XSS in Vbulletin was to blame from the start...

http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/

Quote from: Tony Reid on July 31, 2013, 03:48:13 AM
how the they did the same to ubuntu

A lot of learning going on - shame the various vulnerabilities weren't picked up by ethical hacking.

Quote
I have read what you wrote, as others will, and if they know what they are talking about they will conclude that you do not. Perhaps, when you have gained a little more experience, you will arrive at the same conclusion. I am not playing a game with you, just trying to cut through the specious bluster.

Oh by all means please do get off your high horse... You can get back up on it when you have learned how to read and stop making things up that I never claimed nor said.
Either stick to what actually has been said without altering it's meaning based on assumptions that solely exist in your mind, or please simply don't say anything at all...
As for experience, I won't even be tempted to go down that road as I'm really not interested in a d*** measuring contest, pardon the French.


Thanks in advance.

What's the view on passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)

Quote from: a10gf on July 31, 2013, 12:44:48 PM
What's the view on passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)

Your computer is not affected, but you might want to tell your browser to update your password.

I think he was asking for our opinion on the security protocol --   should he be storing password in his browser?

and the answer to that is: Store what you fele comfrotable storing - with the understanding that - if your computer itself is ever hacked or you accidentally install a trojan, all of your data will eb available to that hacker.

Quoteour opinion on the security protocol

Yes. I suppose most here have at least some of their personal forum related PW's stored (login, ftp, sql etc) in the browser, and feel secure doing so. Anyone ever heard of, or read about, any browser stored passwords ever being exploited ? (have never seen this mentioned anywhere so far, but I'd guess the hackers must be working on it).

Quote from: Kindred on July 31, 2013, 01:54:57 PM
if your computer itself is ever hacked or you accidentally install a trojan, all of your data will be available to that hacker.

Of course hackers have done this for ages...   it was one of the first goals of trojans, even before keyloggers.
Since the data is stored on your computer, anyone with access to your computer can get to it.

Browsers storing passwords is not very secure.
It's still not 100% secure of course, but storing your passwords in a encrypted container, like KeePass, reduces the risk of the passwords being stolen.

Using RoboForm is very good idea.
It stores the passwords in your documents folder and is cross browser.
Even integrates with Windows.

http://www.roboform.com/

Quote from: BurkeKnight on July 31, 2013, 07:36:55 PM
Using RoboForm is very good idea.
It stores the passwords in your documents folder and is cross browser.
Even integrates with Windows.

http://www.roboform.com/

To be honest with you, I'd never trust password managers which are not open source. You don't know if they send data back to roboform or so.

RoboForm does not send any personal info.
If you pay for the desktop instead of just getting the free, you get more features.
You also can set up a master password to further protect your passwords.

Quote from: BurkeKnight on July 31, 2013, 08:07:11 PM
RoboForm does not send any personal info.
If you pay for the desktop instead of just getting the free, you get more features.
You also can set up a master password to further protect your passwords.

Point still applies,  how do you know for sure that it does not send any data or passwords to the company?

Quote from: CoreISP on July 31, 2013, 12:34:01 PM
[...]

I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

Quote from: a10gf on July 31, 2013, 12:44:48 PM
passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)

Banking sites tend not to let your browser save your password, with good reason. A number of respected authorities and crime-prevention agencies have suggested that if you can't remember your strong passwords then write them down on on old-fashioned paper (or encrypted on an unconnected device) and rely on adequate physical security, and in many cases that may be the least-worst option - the remaining weakest link, as you suggest, is between your keyboard and the secure connection.

Tiny Clanger,

The only person here that has no idea what they are talking about, is YOU!

This is a simple case of one person making mistake of using the same password at more than one site. Something that is very frowned about everywhere. It does not matter one iota where the password was stored. Browser, brain, it's all the same in this case.

As for CoreISP, he's been very patient with people, and he's usually the cool headed one here.
I'm the hot headed one, want to argue and be rude with me?
Take your best shot, and I do say good luck.

Everything CoreISP and the other staff has said is the way it is. If you think they are full of it, then by all means, do read their posts.
If you think anything in the software could have prevented this attack, why don't you explain how, Mr. Genius?

Quote from: BurkeKnight on August 01, 2013, 04:34:20 AM
It does not matter one iota where the password was stored. Browser, brain, it's all the same in this case.

Er, I was answering a question put by a10gf, which does not relate to the cause of this incident, but to password security in general. Others have commented on the same question.

None of my comments have related to the cause of this incident but to how one reacts to the aftermath. I do not suspect and have no reason to suggest that the cause had anything to do with the forum software. I could not comment on the general security of your systems and procedures because I do not have access to them - they may be as good as could be expected or may have identifiable deficiencies, but in any case I have no reason to suspect that they contributed to this incident.

I am reluctant to comment on the cause of the incident itself. In other cases where forums have fallen in short order, we know that it was because users with elevated privileges had picked up the same dodgy download which had been targeted at users of one of the sites. Where daisy-chaining has occurred, it has tended to be by following the email addresses home or by knocking lists on large or high value sites (like Twitter - remember the Acai berries). However, I assume that you have evidence either that your admin's login could be readily cross-referenced to this site or that the login came while lists were being knocked on it. (If it was a distributed, knock-once-and-run-away attack then they got awfully lucky.) In any event, the failure was human, and we're all human.

With regard to CoreISP, I wish him no ill will, but confident bluffing is no substitute for understanding, and I find it disappointing that he should persist in the manner he has (and the descent into body references was poor behaviour).

Quote from: a10gf on July 31, 2013, 03:54:11 PM

Quoteour opinion on the security protocol

Yes. I suppose most here have at least some of their personal forum related PW's stored (login, ftp, sql etc) in the browser, and feel secure doing so. Anyone ever heard of, or read about, any browser stored passwords ever being exploited ? (have never seen this mentioned anywhere so far, but I'd guess the hackers must be working on it).

As an ex-security auditor, i do not put much faith into browser password security...
There are various tools available which are able to read passwords from Chrome, FF and al.
AFAIR the tools did not even require elevated privileges to run, so yes it could be done, and it was probably done at some point by trojan.

Its easy, just turn the browser developer tools on, view source and then change the input box from type="password" to type="text" and it instantly reveals the password on the page. Of course, this requires access to the machine.

Hackers are more likely going to try and grab your logged on session though - rather than installing software, because its less obtrusive and therefore less like to be picked up by security software.

Another thing to look for.
People saying they are from certain places, asking for username and passwords, saying it's for tech support issues.

Quote from: butch2k on August 01, 2013, 06:49:05 AM
yes it could be done, and it was probably done at some point by trojan.

Like Trojan-PWS-Nslog

Regarding browser stored PW's, basically, I get it that the encryption is not very strong (or not strong enough).

QuoteHackers are more likely going to try and grab your logged on session though - rather than installing software, because its less obtrusive and therefore less like to be picked up by security software.

Good point as well.

Thanks for all the info > reading trough this whole topic and one will be quite educated\updated in the whole PW and security dept.

Quote from: Tiny Clanger on August 01, 2013, 04:26:58 AM

Quote from: CoreISP on July 31, 2013, 12:34:01 PM
[...]

I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

See guys... what I said about "low post" losers... er... users.

Hey man,  you're disrespectful  Go away.

PS: Mods... Yes,  I broke a rule,  please do what is necessary... just had to be said.


-note by kindred- edited for content... :(

Quote from: Tiny Clanger on August 01, 2013, 04:26:58 AM
I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

Cute. Still not reading, and then blaming me for having a "shaky grasp of the subject". :)
And this is the second time you're throwing a futile attempt trying to belittle or offend me, not sure which one of the two it is you're trying to achieve, without any reason and I'm not sure why I even tolerate it.
That and ignoring my request to stick to what has been posted, rather than what you posted and putting words in my mouth. You're actually talking yourself down.

For the last time: stop this offtopic nonsense or begone from this thread.
I'm much more interested in answering questions from people who actually have any questions and/or concerns about their safety and I fear that such questions are at risk of being drowned in between this useless back and forth chatter.

Thanks.

I got my email on 7/23 and took the time to read the first 5 pages and the last 10 pages of this thread which is now on pg. 25.   

I hate the community and members are having to deal with this, but I've got to admit it was the final kick in the pants I needed to make my internet practices more secure.  I've always had a pretty strong password and figured since it was quite complicated it was OK to use it across almost all the sites I use. I've known it wasn't the best practice, but couldn't fathom having to create & remember a unique password for each site. Yeah, feel free to roll your eyes at me, I deserve it.

This incident ended my procrastination and I've now spent 2 days going to each and every site I'm registered and changed my password to one that's unique to each site and a formula I can remember.  I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html (http://www.pcworld.com/article/227023/how_to_build_a_better_password.html)


As far as the browser remembering passwords discussion - I have always made it a practice to log out of every site I'm on before moving to another and/or closing my browser window. 


Finally, a sincere Thank-You to all the support team members here who have been patient with the questions and calming the nerves of the members who got the notice.

Nicely put, Cand. :)

Thanks for your kindness, towards us, too.

I have changed my password as well.  I would encourage members to keep an eye on their e-mail accounts, as the hackers have those as well.  You might also be spammed.  Please view this article (http://www.onguardonline.gov/articles/0038-spam#report) about dealing with spam.

I use different passwords for all of my accounts.  My SMF password is currently 272 bit encryption with 50 characters.

Thank you, SMF, for letting us know about this, and not trying to keep this a secret.  I appreciate it.

We should also lookout for new websites that will try to imitate this one.

I would recommend employing the anti spam system for all members (before posting) until time passes.  The hacker could login through a member's account, and have a script spam this place up.

no, we will not do that. The staff here is pretty vigilant and if we notice any spamming accounts, they will be dealt with.

Quote from: FrizzleFried on August 01, 2013, 10:55:04 AM
Go away.

Flamed by FrizzleFried. I shall wear that as a badge of honour. (You'll be glad to know I saw the unexpurgated version before Kindred got to it and edited for obscenity.)

Quote from: CandC on August 01, 2013, 01:56:05 PM
I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html (http://www.pcworld.com/article/227023/how_to_build_a_better_password.html)

Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades, So, in the example given, Ch!cken and @dob0 are effectively dictionary words. Adding a couple of extra letters to identify your site looks like a good idea, but crackers use automated rules to try patterns like **wordword (where * is any letter/number/symbol and word is any cracker's-dictionary word), word**word, wordword**, and so on. So, although it won't fall alongside 123456, l3tm31n, and qwerty, it will fall soon thereafter. If you reuse Ch!cken**@dob0 across accounts, the pattern is easy to guess, and your other accounts are only protected by combinations of **, which is few enough to go knocking on-line.

I wouldn't "cast the first stone" at the author of that article, because we've all done things like that at one time or another.

-edit-
User has been banned for this post.

Quote from: Peregrinus on August 02, 2013, 05:01:32 AM
I'm getting pissed off with 'CoreISP'. He is shamelessly promoting his website here and talking ******. Are you Dutch CoreISP? Ik weet genoeg, oprotten met je gelul. Are you a mod here or are you just spamming?

Please watch what you're writing, you can't attack people.

CoreISP is President of Simple Machines Organization. Beside your nonsense talks I never saw him spamming and you are accusing some top level person in this project/organization with unsupported *ideas* (aka bull******s).

 Please note, I have no idea who Peregrinus is, and in general, can we please cut down on the number of asterisks? We can discuss this without getting heated.

I alerted 'Coreisp' to the fact that ip's would be available to the hacker. He dismissed it. Funny hey?

This discussion is going nowhere now.

All the relevant technical discussion is now buried in some of those 25 pages that no-one seems to have patience to read, so we are repeating the same stuff over and over.

Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker.

Because:
1 - it was stated more than once in those 25 pages. You should try to read them
2 - CoreISP is aware of that, more than you or me, for what matters. If you read the 25 pages you will discover that the general opinion is that "it's not relevant": most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.

I fail to understand the "dick-measuring-contest" with CoreISP that some users are trying to set here... Ego massage maybe?

For a real discussion:

Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM
Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades...

Another link provided in this thread
http://password-checker.online-domain-tools.com/
allows to confirm that. Even that some l33t writing builds a so-called "strong" password, it's pointless regarding dictionary attack.

Quote from: margarett on August 02, 2013, 06:48:24 AM
This discussion is going nowhere now.

All the relevant technical discussion is now buried in some of those 25 pages that no-one seems to have patience to read, so we are repeating the same stuff over and over.

Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker.

Because:
1 - it was stated more than once in those 25 pages. You should try to read them
2 - CoreISP is aware of that, more than you or me, for what matters. If you read the 25 pages you will discover that the general opinion is that "it's not relevant": most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.

I fail to understand the "dick-measuring-contest" with CoreISP that some users are trying to set here... Ego massage maybe?

For a real discussion:

Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM
Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades...

Another link provided in this thread
http://password-checker.online-domain-tools.com/
allows to confirm that. Even that some l33t writing builds a so-called "strong" password, it's pointless regarding dictionary attack.

I've read the lot...to say that most people have 'dynamic ip's' is just bollox. Most people have a cable or DSL connection so their ip's are the same for months...stop talking shi! Who's on dial up now? lol

Keep it friendly, Peregrinus, please.

Quote from: K@ on August 02, 2013, 06:57:15 AM
Keep it friendly, Peregrinus, please.

I will, I just don't like denial :)

At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

Not only you didn't read the 25 pages, you also didn't read my post. only a part of a sentence of it.
Did you read this:

Quote from: margarett on August 02, 2013, 06:48:24 AM
...most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.

?
And regarding the IP addresses, a growing number of users are going mobile these days.
Of course you are right to be concerned about the "lost" user info. But:
- as it was stated clearly, the goal of this attack is to gather passwords and cross-check them in another sites
- unless someone is targeting YOU, the IP addresses are more or less irrelevant...
You should be worried about passwords and e-mail addresses.

And it seems you also missed the point where I said this:

Quote from: margarett on August 02, 2013, 06:48:24 AM
This discussion is going nowhere now.

Your harsh reply confirms that...

edit: denial != contradictory

Quote from: margarett on August 02, 2013, 07:12:43 AM

- as it was stated clearly, the goal of this attack is to gather passwords and cross-check them in another sites

How the fook do you know that? You don't...

First post of this thread:

Quote
The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.

Quote all you like...A database of ip's and passwords and e-mails is fruit! I know how hackers work...you should alert everyone to the fact that even their computer could get hacked...

Peregrinus

Please go away now.
We know what we are talking about. You know a little bit but assume that you know more.
I will say this one more time for clarity.
Yes, the hacker got the database. Yes, the hacker has the IPs.
The hacker is not interested in individual PCs (besides the fact that almost all PCs have firewalls, either on the PC or in the router)
We know what the hacker was doing and what he was after because this is part of a coordinated and escalating track on his part.

At this point, you are doing nothing but trolling and will, hence forth be treated as such.

Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM

Quote from: CandC on August 01, 2013, 01:56:05 PM
I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html (http://www.pcworld.com/article/227023/how_to_build_a_better_password.html)

Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades, So, in the example given, Ch!cken and @dob0 are effectively dictionary words. Adding a couple of extra letters to identify your site looks like a good idea, but crackers use automated rules to try patterns like **wordword (where * is any letter/number/symbol and word is any cracker's-dictionary word), word**word, wordword**, and so on. So, although it won't fall alongside 123456, l3tm31n, and qwerty, it will fall soon thereafter. If you reuse Ch!cken**@dob0 across accounts, the pattern is easy to guess, and your other accounts are only protected by combinations of **, which is few enough to go knocking on-line.

I wouldn't "cast the first stone" at the author of that article, because we've all done things like that at one time or another.

I won't deny your reply has merit and I would be more concerned IF I had used only the link's guidelines or your type of examples.  I used that and other links I found to craft a unique password that I feel is much better than the one I was using before and it's not repeated on more than one site now. 

I don't use a passphrase.  I use letters(upper and lowercase), symbols and numbers to describe something I like (by a single letter or number used from each word) and then incorporate the unique web site detail I chose.  It's not perfect, but it's a heckuva lot better than what I was using before.


It seems some are more interested in being combative and heard/seen more than anything. I'm subscribed to this thread and those who only have rudeness to offer should consider that before posting more crap for the rest of us to have to scroll through.

Quote from: Peregrinus on August 02, 2013, 07:07:43 AM
At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

Password or not, these days hackers are the norm and will access ones computer at will. The vast majority have their computers hacked on a regular basis and without even knowing it.

Quote from: Peregrinus on August 02, 2013, 07:07:43 AM
At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

Perhaps the fact that most end-user computers don't have any kind of remote access running? Well, that plus most residential connections are behind a NAT and a firewall, which makes things a bit more difficult. Your second sentence makes me think you really don't have any clue.

Users are much more likely to get an infection by accessing a compromised website than by a direct attack from someone.

By the way, my IP is currently 108.23.63.181.

This post is completely for knowledge base and I don't take any responsibility what you do after reading this.

Hmm, seeing the way this topic is going off topic, this is just an attempt to spread some knowledge around and get the topic back on track.

Haven't we accessed any free wifi in cafes etc at some point in our life? We went to friends home and used his network. Ohh above all that don't we use our workplace networks for personal usage from our workstations/phones etc?

We know all this can land us in trouble, but still we used all those sort of access points even after reading tons of warnings about them.

Meh Joker, went full retard? Nope.

One of the tools (http://en.wikipedia.org/wiki/Wireshark) I used few years ago in college to demonstrate to my juniors during seminar why it is unhealthy to access such networks. With wireshark I was able to show them nearly everything they were doing with there devices one by one using proper filters. When I started showing them exactly what they were doing, headers sent in traffic and responses received by them, there was a complete silence (unlike this topic). Just think what all one can see in the traffic and how secure does it leave us with such connections.


Ok I don't have laptop/desktop what can I do. Lol I even have answer to that. Using my android based phone, if you & I are on the same network and you have anything shared, I can copy paste those files/folder in my device with the help of few tools. I can even see what exactly you are doing on network right now, and by right now I mean right now. Google 'fing'.

So question is why Joker blabbering all this right now?

My point is:
- When you are so insecure with the networks out there and people are still using them mindlessly, then why is there an outcry over here?
- Do you ask those network admins whether they are making use of such tools?
- Do you even those network admins (I personally don't know my workplace network admin)?

So, you don't know who is seeing your info on network you are using? How much of your info has been already stolen over network?

But when someone comes forward, tell you that someone has stolen your info, one starts quibbling over it. Instead of using our knowledge and helping the admin to make the place more secure, we pick up hammers and start beating the admin with it.

Lol, on a side noe when I showed the power of these tools, my team always complete work before time(as they can't do FB :D), and we always went for parties on weekend easily :P.

Ok I very slightly cleaned the topic up to force compliance with requests and even had to hand a ban, which is rather sad that such a measure was even required.

This topic is intended to warn people about the security compromise we encountered. I am glad to see this spawned a massive discussion on security and password management with many different points of view on how to achieve the best security possible. There are multiple ways to achieve security, one better than the other, one easier to use yet less secure. In my opinion, the best way is probably to find a middle ground. Too easy is a security issue, but overly secure making it difficult for people to work with may work adversely as people will try to patch it by making it easier for themselves: breaking security once more.

The most important thing is: people ARE all thinking about it now. A massive wake up call. From that point of view there's something good that came out of this compromise.
In the end, more people will think twice about their (password) security now and that's very good.
Still of course it would have been much more preferable people would think about that without our database being compromised, but that unfortunately happened.

Now, if you have a personal issue with me: that's fine. I guess it's inevitable when posting in this topic so much and the undeniable fact that trolls are everywhere.
Yet, if you wish to make it official: either watch your language or send me a PM. Not that I will accept personal level insults in PM, so keep in mind this is not an invitation to do that ;), but at least keep the topic clean if you feel the need to start a discussion with me on a personal level.

As for one concern raised, for the second time by the same user:

Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker. He dismissed it. Funny hey?

He did indeed point that out in this topic.
I'm not sure if I have dismissed it, but I probably did and probably in the same way as Motoko (青山 素子) did in this post (http://www.simplemachines.org/community/index.php?topic=508232.msg3587154#msg3587154).

Keep in mind that there are *a lot* of IP's in the database. Some users even have multiple IP's associated with their account, impossible for whoever holds the database to figure out which IP is actually their active IP. And even IF that knowledge is available: it's still not a major security risk.
If anything, it's a mere inconvenience and I don't understand why this user appears to be more afraid that his IP was stolen than that his password used here is vulnerable...

IP's are quite trivial while passwords are very sensitive information, in combination with email addresses even more dangerous.
I guess we're not all set on the same priorities, though. :) Just I will probably never understand why a user feels a IP being leaked (even though you broadcast your IP to many many places.) is much more important information than a password. Yes, it's annoying they were stolen. No, I do not consider it a major security risk and by far not the most important information that was stolen from our database.

So I implore everyone once more:
Please stay strictly to the point, and if you feel the need to make a personal attack: don't do it, or at least don't do it in this topic. Keep it clean, keep it friendly.
All the nonsense posts make it harder to read the valuable information that this topic contains. And yes, there is VERY valuable information in this topic. :)

And last but not least: thank you for the kind words of multiple people. :) I do appreciate it!


Thanks!

Quote from: CandC on August 02, 2013, 09:10:26 AM
I won't deny your reply has merit and I would be more concerned IF

I'm happy if you didn't fall into the errors of that article. I wouldn't want anyone else to do so, as it comes from a normally trustworthy source.

Quote from: 青山 素子 on August 02, 2013, 10:42:25 AM
Perhaps the fact that most end-user computers don't have any kind of remote access running?

Or in other cases the password is known only to the ISP and access is limited by IP. If you want to check just how little the outside world can see you, try https://www.grc.com/shieldsup (If remote access is enabled on your router, it may be on 8080 rather than 80.)

Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PM
Or in other cases the password is known only to the ISP and access is limited by IP.

What password is this? I'd hope my ISP doesn't know my various website account passwords. They certainly better not know my local computer account password.

Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PM
If you want to check just how little the outside world can see you, try https://www.grc.com/shieldsup (If remote access is enabled on your router, it may be on 8080 rather than 80.)

Oh boy, Steve Gibson... That guy is a bit of a hack. His claim to fame was with Spinrite (which isn't as useful now since hdd tech has evolved so much from the old MFM/RLL days of the AT). His whole thing against UPnP was almost nothing but scaremongering. It was somewhat relevant back when it first came out but has become a lot less useful in the over ten years since. Security and configurations have improved a lot since Windows Me was released.

Quote from: 青山 素子 on August 02, 2013, 05:05:11 PM
I'd hope my ISP doesn't know

No - just referring to ISPs shipping routers with remote access (to the router) enabled by default and locked to a support IP range. I'm agreeing with your point. Apologies for any ambiguity.

I'm not completely sanguine about UPnP in a wider sense, but would agree that it's not likely to be relevant to the current issue.

For an alternative to the grc thing, there's http://www.canyouseeme.org/ My reason for linking shieldsup is that for many it will give a reassuring sense of stealth - but the button to click is All Service Ports.

ubuntuforums.org hack

yii forum hack

smf hack

idea 1 here (http://www.simplemachines.org/community/index.php?topic=508232.msg3582083#msg3582083)
idea 2:
still it is necessary to disconnect editing of templates - after all there it is possible to insert any code and it will work

inter they never edited the template here, they uploaded a normal theme with a few extra files, when removing these extra files the theme itself was as you would find it on the themesite.

and we have already indicated that the hacker did not use the smf database backup function.

So, both your ideas are basically pointless.

Hi All,

I'm new to this and have been hoyed in at the deep end but please bear with me. Our site was hacked over the weekend which was only discovered after it crashed. The site is up and running now but the nice hacker has left behind buttons and links to the 'HugeDomains' website. Our usual Admin has other commitments and so it falls to be to get savy with the inner workings of the site - pretty quickly. I can see the reference to the button by just viewing the source code but how do I get to the actual script page to remove the code?

Maxie, please post in the appropriate support board. This topic is not the correct place to ask for support.

Quote from: 青山 素子 on August 04, 2013, 12:38:09 PM
Maxie, please post in the appropriate support board. This topic is not the correct place to ask for support.

Soz, didn't realise but I managed to sort it out myself. Cheers!!

Oi Oi Oi what the hell is going on? I just got a warning in my email that smf just got hacked and that it was a wide security breach non the less, i tried every password i could think of that could sign into my account on this site but to no avail, i had to change my password via email in order to log in here and complain, what is this, my passwords are a combination of letters and numbers but they are in over 20 sites. I will be in clear right? Thankfully my hosting account uses another set of passwords entirely thanks to the chammerless banter of the boss and admin fighting over the coding.

If you use the exact same password, on every site, I would assume that you COULD get problems.

you should never use the same password between sites regardless of of "secure" the password itself is.

Unless you are stupid enough to use same password as your own site, I don't really see a problem.
Server hack = Can happen to anybody, on any software package
Same password = A bit silly on an admin account, but we all make mistakes
Problem of SMF users = Only if you are stupid, and use admin password for other sites like this one.

I do wonder how many people did a little poo in their pants, when they realised they used their own admin password for other sites lol

Quote from: chrishoggy on August 07, 2013, 04:22:39 AM
I do wonder how many people did a little poo in their pants, when they realised they used their own admin password for other sites lol

Count up one... O:)
Changed it immediately though.

Quote from: Yoshi on August 07, 2013, 09:22:10 AM

Quote from: chrishoggy on August 07, 2013, 04:22:39 AM
I do wonder how many people did a little poo in their pants, when they realised they used their own admin password for other sites lol

Count up one... O:)
Changed it immediately though.

haha

OMG!  :'(

Quote from: YaramazAskO on August 08, 2013, 05:58:45 AM
OMG!  :'(

Yet you have only just registered with the sole purpose of making that constructive and informative commentary?  ::)

Yeah I don't know.

I got a dead horse out back... wonder how much I can charge for people to come and kick it? Thinking its a lucrative business op. No money in glue these days as all has gone paperless. Damn internet.  :)

Quote from: Zirkon on August 13, 2013, 06:10:43 PM
I got a dead horse out back... wonder how much I can charge for people to come and kick it?

As with any service, people will only want to use it when it's free ;)


Closing this topic now, let me just point out one more time:
If you still haven't changed your password here and on other sites where you use the same password: please do it asap!

Would like to thank everyone that participated in the discussions in a good or less desirable way, who made suggestions and who understood that the SM/SMF team is ran by people. ;)

Thank you so much, and stay safe!